Start Using Post SMTP for Free

Email

The form has been submitted successfully!

Post SMTP Blog

Tutorials and tips to help you grow your business with WordPress

Version 3.9.0 Security Update: Important Fixes Released – Please Update

By Tahir Ali

marzo 18, 2026

Tabla de contenidos
  1. Security Patches Included in This Release
  2. Our Commitment to Security
  3. Update Post SMTP Today
OpenAIOpenAI PerplexityPerplexity

At Post SMTP, security and reliable email delivery are always our top priorities. The plugin powers email delivery for 300,000+ WordPress websites, so maintaining strong protection and stability is something we take very seriously.

Recently, the Wordfence security team reported two vulnerabilities. After reviewing the report, our development team quickly investigated the issue and released Post SMTP Free 3.9.0 and Post SMTP Pro 1.5.1 to address them.

These updates include important security patches that strengthen the plugin and help keep your WordPress site protected.

We strongly recommend updating to the latest version as soon as possible.

Security Patches Included in This Release

The latest update includes two security fixes that improve the plugin’s protection and access controls.

Fix 1: Stored XSS Vulnerability Patch

A vulnerability was identified in versions up to 3.8.0 that could allow malicious scripts to be stored through certain tracking requests.

If exploited, the injected script could run when an administrator viewed the Email Logs page inside the WordPress dashboard.

While this required specific conditions, it could potentially lead to unauthorized actions within the admin area.

What We Fixed

Our team implemented additional safeguards to prevent this scenario by:

  • Improving how user input is processed and validated
  • Adding stronger output protection when displaying log data
  • Making sure that email tracking requests are handled so that only safe and validated data can be stored in the logs.

These changes ensure that email tracking data is handled safely and cannot be used to inject malicious content.

Fix 2: Unauthorized Configuration Change Prevention

A second issue involved the OAuth connection process used when setting up Microsoft 365 email authentication.

Under certain conditions, a logged-in user with limited permissions could attempt to manipulate the configuration flow.

What We Fixed

To resolve this issue, we improved the verification process by:

  • Adding stronger permission checks for sensitive actions
  • Introducing additional security validation during the authentication process
  • Restricting configuration changes to authorized administrators only

These improvements ensure that only trusted users can manage or modify email service connections.

Our Commitment to Security

Security researchers and responsible disclosure programs play a critical role in keeping the WordPress ecosystem safe.

We would like to thank Wordfence and their security research team for responsibly reporting these issues and helping us strengthen Post SMTP.

Our development team responded quickly to investigate, patch the vulnerabilities, and release a secure update for the community.

Update Post SMTP Today

To keep your website protected, we strongly recommend updating your plugin immediately:

  • Post SMTP Free → Version 3.9.0
  • Post SMTP Pro → Version 1.5.1

Updating ensures you receive the latest security improvements and continue sending WordPress emails safely and reliably.

Go to your WordPress Dashboard → Plugins → Update Now to install the latest version.

Thank you for trusting Post SMTP to power your WordPress email delivery.

Newsletters

Get productivity tips delivered straight to your inbox

Join 125,000+ WordPress users who get our weekly newsletter with insider WordPress tips!

👋 Having issues sending email
in WordPress? Lets Chat 👇
Scroll al inicio