WordPress Plugin Vulnerabilities

Postman SMTP Mailer/Email Log - Cross-Site Scripting (XSS)

Description

The postman-smtp WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.

Affects Plugins

Plugin icon
postman-smtp
No known fix

References

CVE
CVE-2017-18603
URL
https://wordpress.org/support/topic/postman-smtp-maileremail-log-is-prone-to-a-cross-site-scripting-vulnerability/
URL
https://www.wordfence.com/blog/2017/10/postman-smtp-plugin-unpatched-vulnerability-removed-directory/
URL
https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-postman-smtp/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
697f4979-a702-457c-a0b4-4a210db42d73

Timeline

Publicly Published
2017-06-29 (about 8 years ago)
Added
2017-10-09 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-09-26
Title
User Notes < 1.0.3 - Admin+ Stored XSS
Published
2025-07-15
Title
WP Event Manager < 3.1.51 - Unauthenticated Stored Cross-Site Scripting via 'organizer_name'
Published
2024-10-09
Title
Featured Posts with Multiple Custom Groups (FPMCG) <= 4.0 - Reflected Cross-Site Scripting
Published
2024-05-17
Title
WP Stacker <= 1.8.5 - Stored XSS via CSRF
Published
2025-12-26
Title
Advanced Custom CSS <= 1.1.0 - Reflected Cross-Site Scripting