A recent security discovery involves a significant flaw in the Post SMTP plugin, a widely adopted email delivery solution for WordPress that offers extended features beyond the basic wp_mail() function. This vulnerability, which was reported on October 11 by researcher ‘netranger’ to the security firm Wordfence, concerns an email log disclosure that creates an opening for devastating account takeover attacks. Assigned the critical-severity score of 9.8 and tracked as CVE-2025-11833, this issue puts all versions of Post SMTP up to and including 3.6.0 at risk.
The core of the vulnerability lies in the fact that the plugin’s ‘PostmanEmailLogs’ flow contains a ‘$\_construct$’ function that lacks necessary authorization checks. Consequently, when a request is made for logged email content, the constructor directly renders it without performing capability checks. This failure allows any unauthenticated attacker to read arbitrary emails logged by the plugin. Crucially, these exposed emails can contain password reset messages, including the unique links that enable an attacker to change an administrator’s password without needing to be the legitimate account holder, resulting in a full site compromise.
Upon receiving the report, Wordfence validated the researcher’s exploit on October 15 and promptly disclosed the critical issue to the plugin’s vendor, Saad Iqbal. A patched version, Post SMTP 3.6.1, was made available on October 29. However, data from WordPress.org indicates that only about half of the plugin’s user base has applied this update, leaving an estimated 210,000 sites still exposed to potential administrator takeover attacks.
The threat escalated significantly on November 1, when hackers began actively exploiting CVE-2025-11833. Since the start of active exploitation, Wordfence has reported blocking over 4,500 exploit attempts targeting their customers. Given this immediate and severe risk, all website owners currently using the Post SMTP plugin are strongly urged to take decisive action: either update immediately to version 3.6.1 or completely disable the plugin until the patch can be safely applied.
This is not the first time the Post SMTP plugin has faced such a vulnerability; in July, another security firm, PatchStack, disclosed a similar flaw. That issue, tracked as CVE-2025-24000, also allowed hackers to access email logs containing full message content, even with low-level subscriber accounts. Just like the current crisis, that prior flaw presented the same severe risk, enabling unauthorized users to trigger password resets, intercept sensitive messages, and seize full control of administrator accounts.
Reference:
