Description The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.
1. Install Post SMTP in version <= 2.7.0 and configure it.
2. Send email using any contact form which uses 'wp_mail' function. Include the following payload in the message:
<img src=x onerror=alert(document.domain)>
3. Visit /wp-admin/admin.php?page=postman_email_log (Post SMTP -> Email Log)
4. Click 'View' next to the first record.
5. The message is shown and JavaScript code is executed.