The plugin does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML.
XSS Payload : <img src=x onerror=alert('xss') >
Steps to reproduce:
1. Install subscribe2 plugin (https://wordpress.org/plugins/subscribe2/)
2. Install FluentSMTP
3. Configure FluentSMTP to use custom SMTP (for testing use mailtrap).
4. As another user (needs Author+ role), send an email using subscribe2 plugin with email content as xss payload.
5. View logs and click on preview icon to trigger XSS.