A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web.
The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites.
Researchers have already documented over 4,500 exploitation attempts since November 1st, 2025, signaling an active and growing threat campaign.
On October 11th, 2025, security researchers submitted a vulnerability report to Wordfence through their Bug Bounty Program revealing a critical authorization vulnerability in Post SMTP versions 3.6.0 and earlier.
The vulnerability stems from a missing capability check in the plugin’s PostmanEmailLogs class constructor, which fails to verify user permissions before displaying logged email messages.
This oversight creates a direct pathway for unauthenticated attackers to access the plugin’s email logging functionality without any authentication requirements.
The Post SMTP plugin is designed to replace WordPress’s default PHP mail function with a more reliable SMTP mailer while providing comprehensive email logging capabilities.
However, the absence of proper authorization controls means that anyone on the internet can access the email logs by simply visiting the appropriate URL parameters, including password reset emails containing sensitive reset links.
An attacker can weaponize this access by triggering a password reset for an administrator account, intercepting the reset email from the logs, and using the reset link to compromise the account completely.
Once inside, attackers gain full administrative privileges to manipulate site content, inject malicious code, and potentially deploy backdoors for persistent access.
The vulnerability represents an immediate and severe threat to WordPress site owners. Wordfence telemetry indicates that attackers began targeting this vulnerability as early as November 1st, 2025, with security researchers blocking over 4,500 exploitation attempts within the initial days.
Given the critical nature of the vulnerability and the large installed base of the affected plugin, cybersecurity experts anticipate a significant surge in exploitation activity in the coming weeks.
Wordfence Premium, Care, and Response users received protection through firewall rules implemented on October 15th, 2025, just days after the vulnerability was validated.
Free Wordfence users will receive the same protection on November 14th, 2025, providing a 30-day delay for sites without paid security solutions. This timeline underscores the importance of manual patching for users without active security monitoring.
Patch Released and Recommendations
The vendor released a fully patched version, Post SMTP 3.6.1, on October 29th, 2025, addressing the authorization bypass.
The researcher who discovered the vulnerability, known as netranger, received a $7,800 bounty through Wordfence’s Bug Bounty Program, demonstrating the program’s commitment to incentivizing high-quality vulnerability research and responsible disclosure practices.
WordPress site administrators should immediately update to Post SMTP version 3.6.1 or later. The critical nature of this vulnerability, combined with documented active exploitation, makes this update a priority.
Sites running older versions of the plugin remain actively targeted by threat actors seeking quick administrative access.
Website owners should verify their installation status, apply the patch, and consider sharing this advisory with others in their WordPress community to ensure broader protection across the ecosystem.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
