Is WordPress affected by EUVD-2026-12841?

A stored cross-site scripting vulnerability in the Post SMTP WordPress plugin allows unauthenticated attackers to inject malicious scripts into affected websites.

EUVD-2026-12841

| CVE-2026-3090 HIGH

2026-03-18 Wordfence

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 18, 2026 - 15:45 vuln.today

EUVD ID Assigned

Mar 18, 2026 - 15:45 euvd

EUVD-2026-12841

CVE Published

Mar 18, 2026 - 15:28 nvd

HIGH 7.2

Description

The Post SMTP - Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled.

Analysis

A stored cross-site scripting (XSS) vulnerability exists in the Post SMTP WordPress plugin through version 3.8.0, allowing unauthenticated attackers to inject malicious scripts via the 'event_type' parameter. The vulnerability requires the Post SMTP Pro plugin with its Reporting and Tracking extension to be enabled for exploitation. …

Remediation

Within 24 hours: audit all WordPress installations for Post SMTP plugin presence and Pro version status; document affected sites and take inventory of exposed data. Within 7 days: implement WAF rules blocking malicious payloads to the 'event_type' parameter; disable Post SMTP Reporting and Tracking extension on all affected sites if operationally feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

EUVD-2026-12841 vulnerability details – vuln.today

Back

EUVD-2026-12841

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-12841

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code