We recently found the the plugin Postman SMTP contains a reflected cross-site scripting (XSS) vulnerability.
On line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php the value of GET or POST input “page” is output without being escaped:
value=”<?php echo $_REQUEST[‘page’] ?>” />
While the GET input “page” needs to be set to “postman_email_log” for that code to run, the POST input
Source: Security Feed