POST SMTP Mailer < 2.7.1 – Unauthenticated Cross-site Scripting | CVE 2023-5958 | Plugin Vulnerabilities

Description

The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

Proof of Concept

1. Install Post SMTP in version <= 2.7.0 and configure it.
2. Send email using any contact form which uses 'wp_mail' function. Include the following payload in the message:

<img src=x onerror=alert(document.domain)>

3. Visit /wp-admin/admin.php?page=postman_email_log (Post SMTP -> Email Log)
4. Click 'View' next to the first record.
5. The message is shown and JavaScript code is executed.

Affects Plugins

Fixed in 2.7.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Marcin Węgłowski (AFINE Team)

Submitter

Marcin Węgłowski (AFINE Team)

Submitter website

https://afine.com

Submitter twitter

Verified

Yes

WPVDB ID

22fa478d-e42e-488d-9b4b-a8720dec7cee

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2022-09-01

Title

Easy Org Chart <= 3.1 - Contributor+ Stored Cross-Site Scripting

Published

2022-01-19

Title

WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting

Published

2024-08-16

Title

e2pdf < 1.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-11-26

Title

SortTable Post <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2017-05-31

Title

WP No External Links <= 3.5.18 – Authenticated Cross-Site Scripting (XSS)