How is CVE-2026-48838 exploited?

Network reachability (required): The attacker must reach the affected WordPress instance over the network; no local or physical access is needed. Authentication (not-required): No account or login is needed; the vulnerability is exploitable by any unauthenticated user. Victim interaction (required): A victim must take an action such as clicking a crafted link or visiting a malicious page for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond delivering the payload to a victim.

What is the impact of CVE-2026-48838?

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies or authentication tokens. Attacker can modify the visible content of the WordPress admin or front-end page the victim is viewing, facilitating phishing or credential harvesting. Attacker can redirect the victim's browser to an external site of the attacker's choosing. With the scope change token (S:C) in the CVSS vector, impact extends beyond the plugin itself and can affect other components of the WordPress environment loaded in the same browser context.

Back to search

HIGHCVE-2026-48838Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48838: WordPress Post SMTP plugin <= 3.6.2 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48838?

Reflected or stored cross-site scripting (XSS) affects the Post SMTP WordPress plugin by WPExperts at versions 3.6.2 and below. The vulnerability is reachable over the network without any account or login, but requires a victim to interact with a crafted link or page. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and redirection. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-48838 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment WPExperts ships a remediated release. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected or stored cross-site scripting (XSS) affects the Post SMTP WordPress plugin by WPExperts at versions 3.6.2 and below. The vulnerability is reachable over the network without any account or login, but requires a victim to interact with a crafted link or page. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and redirection. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-48838 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle the Post SMTP plugin. Any image running Post SMTP at or below version 3.6.2 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (High, v3.1) and weighting it against each customer environment's compliance policy to determine priority. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment WPExperts ships a remediated release. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected WordPress instance over the network; no local or physical access is needed.
AuthenticationNot required
No account or login is needed; the vulnerability is exploitable by any unauthenticated user.
Victim interactionRequired
A victim must take an action such as clicking a crafted link or visiting a malicious page for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond delivering the payload to a victim.

Blast Radius

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies or authentication tokens.
Attacker can modify the visible content of the WordPress admin or front-end page the victim is viewing, facilitating phishing or credential harvesting.
Attacker can redirect the victim's browser to an external site of the attacker's choosing.
With the scope change token (S:C) in the CVSS vector, impact extends beyond the plugin itself and can affect other components of the WordPress environment loaded in the same browser context.

How HarborGuard Handles This

Available on HarborGuard: any image containing Post SMTP at or below version 3.6.2 is flagged as soon as the CVE appears in ingested feeds, with no manual scan trigger required. Because no upstream fix exists today, HarborGuard monitors the Patchstack advisory each ingest cycle; the moment WPExperts publishes a patched release, a rebuilt image at that version becomes available and, for customers with auto-remediation enabled, a regression-test run and a PR against affected workloads are opened automatically. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to the WordPress instance, web application firewall rules targeting reflected XSS payloads in query parameters and POST bodies, and feature-flag or plugin-management controls that disable Post SMTP until a patch is available where operational requirements permit.

See how HarborGuard automates this

Affected packages

WPExperts / Post SMTP
≤ 3.6.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified