WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks

A critical security flaw in the WordPress Post SMTP plugin has left more than 400,000 websites vulnerable to account takeover attacks.

The vulnerability, identified as CVE-2025-11833, enables unauthenticated attackers to access email logs containing sensitive password reset information, potentially compromising administrator accounts and entire websites.

The flaw stems from a missing authorization check in the plugin’s core functionality, allowing threat actors to exploit logged email data without requiring any authentication credentials.

The Post SMTP plugin, designed to replace WordPress’s default PHP mail function with SMTP mailers, includes an email logging feature that inadvertently exposes critical security information.

Since November 1, 2025, attackers have actively targeted this vulnerability, with over 4,500 exploitation attempts already blocked by security systems.

The widespread use of this plugin across hundreds of thousands of WordPress installations has created a significant attack surface for cybercriminals seeking unauthorized access to websites.

Wordfence researchers identified the vulnerability through their Bug Bounty Program on October 11, 2025, just one day after its introduction.

Security researcher netranger discovered and responsibly reported the flaw, earning a bounty of $7,800 for the critical finding.

The WP Experts development team responded swiftly to disclosure, releasing patch version 3.6.1 on October 29, 2025, to address the security gap affecting all versions up to and including 3.6.0.

The vulnerability carries a CVSS score of 9.8, placing it in the critical severity category. Site administrators must immediately update to version 3.6.1 to protect their installations from ongoing exploitation attempts.

Wordfence Premium users received firewall protection on October 15, 2025, while free version users will receive the same safeguards by November 14, 2025.

Technical Exploitation Mechanism

The vulnerability resides within the PostmanEmailLogs class constructor, which displays logged email messages without performing capability checks on the __construct function.

Attackers can exploit this weakness by manipulating URL parameters to access arbitrary email logs through the plugin’s interface.

Vulnerability Details:-

The vulnerable code accepts GET requests with specific parameters including page, view, and log_id, allowing unauthorized users to retrieve stored email content directly from the database.

public function __construct() {
    global $wpdb;
    $this->db = $wpdb;
    $this->logger = new PostmanLogger( get_class( $this ) );

    //Render Message body in iframe
    if(
        isset( $_GET['page'] ) && $_GET['page'] == 'postman_email_log'
        &&
        isset( $_GET['view'] ) && $_GET['view'] == 'log'
        &&
        isset( $_GET['log_id'] ) && !empty( $_GET['log_id'] )
    ) {
        $id = sanitize_text_field( $_GET['log_id'] );
        $email_query_log = new PostmanEmailQueryLog();
        $log = $email_query_log->get_log( $id, '' );
        echo ( isset ( $header ) && strpos( $header, "text/html" ) );
        die;
    }
}

The exploitation process involves attackers triggering password reset requests for administrator accounts, then accessing the logged reset emails containing password reset links through the unprotected interface.

This two-step attack vector enables complete site takeover, granting malicious actors full administrative privileges to upload backdoors, modify content, and redirect users to malicious destinations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.