WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Post Smtp safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Post Smtp WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: post-smtp
  • Requires PHP: 7.0+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.0.21 [WordPress Post SMTP Mailer/Email Log plugin <= 2.0.20 - Cross-Site Request Forgery (CSRF) nonce validation vulnerability]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.1.4 [CVE-2022-2351, Post SMTP Mailer/Email Log <= 2.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting, Post SMTP &lt; 2.1.4 - Admin+ Stored Cross-Site Scripting]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.1.7 [CVE-2022-2352, WordPress Post SMTP Mailer/Email Log plugin <= 2.1.6 - Authenticated Blind Server-Side Request Forgery (SSRF) vulnerability, Post SMTP <= 2.1.6 - Authenticated (Administrator+) Blind Server-Side Request Forgery, Post SMTP &lt; 2.1.7 - Admin+ Blind SSRF]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.0.21 [Various Affected Software (Various Versions) - Cross-Site Request Forgery Bypass]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.0.21 [CVE-2021-4342]
+ 30 more known vulnerabilities
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.5.7 [CVE-2023-3178, WordPress Post SMTP Mailer/Email Log Plugin < 2.5.7 is vulnerable to Cross Site Request Forgery (CSRF), POST SMTP Mailer <= 2.5.6 - Cross-Site Request Forgery to Arbitrary Log Deletion, POST SMTP Mailer &lt; 2.5.7 - Arbitrary Log Deletion via CSRF]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.5.7 [CVE-2023-3179, WordPress Post SMTP Mailer/Email Log Plugin < 2.5.7 is vulnerable to Cross Site Request Forgery (CSRF), POST SMTP Mailer <= 2.5.6 - Cross-Site Request Forgery to Account Compromise, POST SMTP Mailer &lt; 2.5.7 - Account Takeover via CSRF]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.0.21 [CVE-2021-4422, POST SMTP Mailer <= 2.0.20 - Cross-Site Request Forgery Bypass, Post SMTP Mailer/Email Log &lt; 2.0.21 - CSRF Nonce Bypass]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.5.8 [CVE-2023-3082, Post SMTP <= 2.5.7 - Unauthenticated Stored Cross-Site Scripting via Email, WordPress Post SMTP Mailer/Email Log Plugin <= 2.5.7 is vulnerable to Cross Site Scripting (XSS), Post SMTP &lt; 2.5.8 - Unauthenticated Stored Cross-Site Scripting via Email Contents]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.5.8 [CVE-2023-33999, WordPress Post SMTP Mailer/Email Log Plugin < 2.5.8 is vulnerable to Cross Site Scripting (XSS), Freemius SDK &lt; 2.5.10 - Reflected Cross-Site Scripting]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.6.1 [Post SMTP <= 2.6.0 - Authenticated (Administrator+) SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.6.1 [WordPress Post SMTP Mailer/Email Log Plugin < 2.6.1 is vulnerable to SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.7.1 [CVE-2023-5958, POST SMTP Mailer <= 2.7.0 - Unauthenticated Stored Cross-Site Scripting, POST SMTP Mailer &lt; 2.7.1 - Unauthenticated Cross-site Scripting]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.7 [CVE-2023-6629, POST SMTP Mailer <= 2.8.6 - Reflected Cross-Site Scripting via msg, WordPress Post SMTP Mailer/Email Log Plugin <= 2.8.6 is vulnerable to Cross Site Scripting (XSS)]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.8 [CVE-2023-7027, POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device, WordPress Post SMTP Mailer/Email Log Plugin <= 2.8.7 is vulnerable to Cross Site Scripting (XSS), POST SMTP Mailer &lt; 2.8.8 - Unauthenticated Stored Cross-Site Scripting via device]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.7 [CVE-2023-6620, Post SMTP &lt; 2.8.7 - Admin+ SQL Injection, POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 - Authenticated (Administrator+) SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.6.1 [Post SMTP &lt; 2.6.1 - Authenticated (Administrator+) SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.7 [CVE-2023-6621, Post SMTP &lt; 2.8.7 - Reflected Cross-Site Scripting]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.7 [CVE-2023-52233, WordPress Post SMTP Mailer/Email Log Plugin <= 2.8.6 is vulnerable to Broken Access Control]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.8 [CVE-2023-6875, POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Authorization Bypass via type connect-app API, WordPress Post SMTP Mailer/Email Log Plugin <= 2.8.7 is vulnerable to Broken Authentication, POST SMTP Mailer &lt; 2.8.8 - Authorization Bypass via type connect-app API]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.8.7 [CVE-2024-29128, WordPress Post SMTP Mailer/Email Log Plugin <= 2.8.6 is vulnerable to Cross Site Scripting (XSS)]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.9.4 [CVE-2024-5207, POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.9.3 - Authenticated (Administrator+) SQL Injection, WordPress Post SMTP Mailer/Email Log Plugin <= 2.9.3 is vulnerable to SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.9.10 [CVE-2024-52436, WordPress Post SMTP Plugin <= 2.9.9 is vulnerable to SQL Injection, Post SMTP <= 2.9.9 - Authenticated (Administrator+) SQL Injection]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 2.9.12 [CVE-2025-22800, WordPress Post SMTP Plugin <= 2.9.11 is vulnerable to Broken Access Control, Post SMTP <= 2.9.11 - Missing Authorization via regenerate_qrcode(), EUVD-2025-3004]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.1.0 [CVE-2025-0521, Post SMTP <= 3.0.2 - Unauthenticated Stored Cross-Site Scripting, EUVD-2025-4802]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.1.3 [CVE-2024-13844, Post SMTP <= 3.1.2 - Authenticated (Administrator+) SQL Injection via columns Parameter, EUVD-2025-6296]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.3.0 [CVE-2025-24000, Post SMTP <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via Email Log Exposure, EUVD-2025-23940]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.6.1 [CVE-2025-11833, Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure, EUVD-2025-37413]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.6.2 [CVE-2025-12887, Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.6.2 [CVE-2025-67563]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.9.0 [CVE-2026-3090, Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type']
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.9.0 [CVE-2026-2559, Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.4.2 [Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update, Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update, EUVD-2025-28826]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.1.0 [CVE-2024-13362, Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter]
  • Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App [post-smtp] < 3.6.3 [CVE-2026-48838, Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.6.2 - Unauthenticated Stored Cross-Site Scripting, Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App &lt;= 3.6.2 - Unauthenticated Stored Cross-Site Scripting]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.