What vulnerability is affecting the Post SMTP WordPress plugin?

WordPress security firm Wordfence is reporting an active exploitation of an account takeover vulnerability affecting the Post SMTP plugin, a widely used email delivery solution. The flaw is tracked as CVE-2025-11833 with a CVSS score of 9.8. It allows unauthenticated attackers to view email logs containing password reset links, enabling site compromise through triggering a password reset and then accessing the link from the logs.

What is CVE-2025-11833?

CVE-2025-11833 is a critical security vulnerability with a CVSS score of 9.8 affecting the Post SMTP WordPress plugin. It is an authentication bypass vulnerability that allows unauthenticated attackers to view email logs containing sensitive information such as password reset links, potentially leading to complete site takeover.

Which versions of Post SMTP are vulnerable?

All versions of Post SMTP up to and including version 3.6.0 are vulnerable to CVE-2025-11833. Post SMTP version 3.6.1, released on October 29, 2025, contains the security fix for this vulnerability.

Has the Post SMTP vulnerability been patched?

Yes, the vulnerability has been patched. Post SMTP version 3.6.1, released on October 29, 2025, contains the security fix for CVE-2025-11833. WordPress site administrators using Post SMTP must immediately update to version 3.6.1 or later.

What can attackers do by exploiting CVE-2025-11833?

By exploiting CVE-2025-11833, unauthenticated attackers can view email logs containing password reset links. This allows them to trigger a password reset for any user account (including administrators) and then access the reset link directly from the unprotected logs, enabling complete site takeover without any legitimate credentials.

Who discovered the Post SMTP vulnerability?

WordPress security firm Wordfence discovered and reported the active exploitation of the Post SMTP vulnerability CVE-2025-11833. Wordfence detected that attackers began exploiting this flaw on November 1, 2025.

When did exploitation of the Post SMTP vulnerability begin?

Attackers began actively exploiting the Post SMTP vulnerability CVE-2025-11833 on November 1, 2025, just days after the patch was released on October 29, 2025. This rapid exploitation highlights the critical nature of this vulnerability.

What caused the Post SMTP security flaw?

The security flaw was caused by developers failing to implement proper authorization checks in the PostmanEmailLogs class constructor function that handles email log display requests. The code retrieves and displays logged email content without verifying whether the requester has authorization to view the sensitive information.

What sensitive information is exposed through the Post SMTP vulnerability?

The vulnerability exposes email logs that can contain highly sensitive information including password reset links, which are the primary attack vector. The logs may also contain other confidential email communications sent through the WordPress site, depending on what emails have been logged by the plugin.

How can attackers access the Post SMTP email logs?

Attackers can access the email logs by sending specially crafted requests with specific URL parameters including page=postman_email_log, view=log, and a log_id parameter. Because there are no authorization checks, anyone who knows these parameters can view the logged emails without authentication.

What is the CVSS score of CVE-2025-11833?

CVE-2025-11833 has a CVSS score of 9.8, which is classified as critical severity. This high rating reflects the ease of exploitation (no authentication required), the significant potential impact (complete site takeover), and the wide deployment of the vulnerable plugin across hundreds of thousands of WordPress sites.

Attack

Critical vulnerability in Post SMTP WordPress Plugin actively exploited

Q: How does the Post SMTP vulnerability work?

The vulnerability is caused by missing authorization checks in the PostmanEmailLogs class constructor. When the plugin receives a request to view a logged email through specific URL parameters (page=postman_email_log, view=log, and a log_id parameter), it retrieves and displays the requested email content without any authorization verification. Attackers can exploit this by triggering a password reset for an administrator account and then accessing the reset link directly from the unprotected email logs.

Q: Are attackers actively exploiting the Post SMTP vulnerability?

Yes, attackers began actively exploiting CVE-2025-11833 on November 1, 2025. Wordfence reports that approximately half of the install base of 400,000 sites are still running vulnerable versions, meaning at least 210,000 WordPress installations remain at immediate risk of complete takeover.

Q: How many WordPress sites are at risk from the Post SMTP vulnerability?

At least 210,000 WordPress installations remain at immediate risk of complete takeover. Approximately half of the install base of 400,000 sites are still running vulnerable versions of Post SMTP despite the patch being available since October 29, 2025.

published: Nov. 5, 2025

Take action: If you use the Post SMTP plugin on your WordPress, this is URGENT. Update immediately to version 3.6.1, because any attacker can simply trigger a password reset request and then find the reset link to change your passwords. This is not a dril, you are being actively hacked.

Learn More

WordPress security firm Wordfence is reporting an active exploitation of an account takeover vulnerability affecting the Post SMTP plugin, a widely used email delivery solution.

Post SMTP is an email delivery plugin designed to replace WordPress's default wp_mail() PHP mail function with a more reliable SMTP mailer implementation. The plugin provides email management capabilities including custom SMTP configuration, email logging and tracking, delivery failure alerts, backup SMTP server support, mobile application integration, and detailed analytics on email delivery success rates.

The flaw is tracked as CVE-2025-11833 (CVSS score 9.8). It allows unauthenticated attackers to view email logs containing password reset links, enabling site compromise through triggering a password reset, then accessing the link from the logs.

Post SMTP's PostmanEmailLogs class constructor is responsible for displaying logged email messages when administrators need to review sent communications. The developers failed to implement proper authorization checks in the function that handles email log display requests. When the plugin receives a request to view a logged email through specific URL parameters (page=postman_email_log, view=log, and a log_id parameter), it retrieves and displays the requested email content without any authorization.

Attackers began actively exploiting this vulnerability on November 1, 2025. Approximately half of the install base of 400,000 sites are still running vulnerable versions, at least 210,000 WordPress installations remain at immediate risk of complete takeover.

Affected versions are all versions up to and including 3.6.0 Post SMTP version 3.6.1, released on October 29, 2025, contains the security fix for this vulnerability.

WordPress site administrators using Post SMTP must immediately update to version 3.6.1 or later through the WordPress admin dashboard Organizations should conduct security audits of their WordPress installations to identify any signs of compromise, including reviewing user accounts for unauthorized administrator accounts, examining recent plugin and theme installations for malicious code, checking website content for unauthorized modifications or injected scripts, analyzing server logs for suspicious access patterns, and verifying that all legitimate administrator accounts have not had their passwords changed without authorization.

Critical vulnerability in Post SMTP WordPress Plugin actively exploited

Read More
JetBrains TeamCity vulnerability exploited by state sponsored hackers
Microsoft warns of 2 year old vulnerability actively …
Multiple threat groups are exploiting the critical React/Nex.js …
Critical Citrix Netscaler "Citrix Bleed 2" flaw actively …
DrayTek routers in Vietnam actively attacked causing Internet …