PatchSiren cyber security CVE debrief
CVE-2026-48838 WPExperts CVE debrief
CVE-2026-48838 is a high-severity Unauthenticated Cross Site Scripting (XSS) vulnerability in the Post SMTP plugin versions <= 3.6.2. The vulnerability has a CVSS score of 7.1 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-48838).
- Vendor
- WPExperts
- Product
- Post SMTP
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Post SMTP plugin versions <= 3.6.2 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by an unauthenticated Cross Site Scripting (XSS) issue in the Post SMTP plugin. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
Defensive priority
high
Recommended defensive actions
- Update Post SMTP plugin to a version greater than 3.6.2.
- Refer to [ref-4](https://patchstack.com/database/wordpress/plugin/post-smtp/vulnerability/wordpress-post-smtp-plugin-3-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve) for mitigation or vendor reference.
Evidence notes
The vulnerability was reported by [email protected] and has a CWE-79 weakness.
Official resources
-
CVE-2026-48838 CVE record
CVE.org
-
CVE-2026-48838 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-48838 was published on 2026-06-15T21:17:16.090Z and modified on 2026-06-15T21:24:32.790Z.