CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22800 – WordPress Post SMTP plugin <= 2.9.11 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-22800
07 Jan 2025 — Missing Authorization vulnerability in Post SMTP Post SMTP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through 2.9.11. The Post SMTP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the regenerate_qrcode() function in versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate QR codes. • https://patchstack.com/database/wordpress/plugin/post-smtp/vulnerability/wordpress-post-smtp-plugin-2-9-11-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52436 – WordPress Post SMTP plugin <= 2.9.9 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-52436
15 Nov 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Post SMTP allows Blind SQL Injection.This issue affects Post SMTP: from n/a through 2.9.9. La vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en un comando SQL ('Inyección SQL') en Post SMTP permite la inyección SQL ciega. Este problema afecta a Post SMTP: desde n/a hasta 2.9.9. The Post SMTP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including,... • https://patchstack.com/database/vulnerability/post-smtp/wordpress-post-smtp-plugin-2-9-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6621 – Post SMTP < 2.8.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6621
03 Jan 2024 — The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. POST SMTP WordPress plugin anterior a 2.8.7 no sanitiza ni escapa el parámetro msg antes de devolverlo a la página, lo que genera cross site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. • https://wpscan.com/vulnerability/b49ca336-5bc2-4d72-a9a5-b8c020057928 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 3CVE-2023-7027 – POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device
https://notcve.org/view.php?id=CVE-2023-7027
02 Jan 2024 — The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. POST SMTP Mailer – Email log, Delivery Failure Notifications and ... • https://packetstorm.news/files/id/176525 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6629 – POST SMTP Mailer <= 2.8.6 - Reflected Cross-Site Scripting via msg
https://notcve.org/view.php?id=CVE-2023-6629
02 Jan 2024 — The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. POST SMTP Mailer –... • https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3178 – POST SMTP Mailer < 2.5.7 - Arbitrary Log Deletion via CSRF
https://notcve.org/view.php?id=CVE-2023-3178
26 Jun 2023 — The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack. El complemento POST SMTP Mailer de WordPress anterior a 2.5.7 no tiene comprobaciones CSRF adecuadas en algunas acciones AJAX, lo que podría permitir a los atacantes hacer que los usuarios registrados con la capacidad de Manage_postman_smtp eliminen registros arbitrarios m... • https://wpscan.com/vulnerability/5341cb5d-d204-49e1-b013-f8959461995f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2352 – Post SMTP < 2.1.7 - Admin+ Blind SSRF
https://notcve.org/view.php?id=CVE-2022-2352
05 Sep 2022 — The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. El plugin Post SMTP Mailer/Email Log de WordPress versiones anteriores a 2.1.7, no presenta la autorización adecuada en algunas acciones AJAX, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo SSRF ciegos en instalaciones multisitio... • https://wpscan.com/vulnerability/dc99ac40-646a-4f8e-b2b9-dc55d6d4c55c • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2351 – Post SMTP < 2.1.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2351
18 Aug 2022 — The Post SMTP Mailer/Email Log WordPress plugin before 2.1.4 does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed. El plugin Post SMTP Mailer/Email Log de WordPress versiones anteriores a 2.1.4, no escapa de algunas de sus configuraciones antes de mostrarlas en el panel de control de los administradores, lo que permite a usuarios con... • https://wpscan.com/vulnerability/f3fda033-58f5-446d-ade4-2336a39bfb87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •