A newly discovered critical vulnerability in the popular Post SMTP WordPress plugin is actively being exploited by cybercriminals to hijack administrator accounts and gain full control of WordPress sites. With over 400,000 active installations, the flaw poses a serious threat to website owners who haven’t yet applied the latest security patch.
The Post SMTP plugin, widely used as a more reliable alternative to WordPress’s default wp_mail() function, helps website administrators manage email delivery and troubleshooting. However, researchers from Wordfence, a leading WordPress security firm, uncovered that the plugin’s recent versions contain a dangerous email log disclosure vulnerability.
The flaw, tracked as CVE-2025-11833, carries a critical severity score of 9.8 and affects all versions up to 3.6.0. It originates from missing authorization checks in the _construct function of the plugin’s PostmanEmailLogs feature. This oversight allows unauthenticated attackers to directly access email logs without proper permission checks.
More alarmingly, these email logs can contain password reset links. By exploiting this flaw, attackers can intercept these links and reset administrator passwords, effectively taking over entire WordPress sites without needing valid credentials. According to Wordfence, this type of attack can lead to complete site compromise, data theft, and even the injection of malicious content or backdoors.
After the issue was reported by security researcher ‘netranger’ on October 11, Wordfence verified the exploit and informed the plugin’s developer Saad Iqbal on October 15. The patched version 3.6.1 was released on October 29, but data from WordPress.org shows that only about half of the plugin’s users have updated, leaving over 210,000 sites still vulnerable.
Wordfence began detecting active exploitation attempts on November 1, blocking more than 4,500 attacks in just a few days. Threat actors are scanning for outdated installations and targeting them to gain instant administrative privileges.
Security experts urge all website owners using Post SMTP to update immediately to version 3.6.1 or temporarily disable the plugin until the patch can be applied. It’s also recommended to enable two-factor authentication (2FA) for all admin accounts and review email logs for suspicious password reset attempts.
This isn’t the first time Post SMTP has faced serious security issues. In July 2025, another flaw (CVE-2025-24000) was uncovered, also linked to email log exposure that enabled unauthorized password resets. The recurrence of such vulnerabilities highlights the critical need for continuous plugin maintenance and prompt patch management within the WordPress ecosystem.
Conclusion
The CVE-2025-11833 exploit serves as yet another reminder of how third-party plugins can endanger an entire website’s security if left unpatched. Website administrators should prioritize regular updates, plugin audits, and layered defenses to minimize the risk of compromise. With attacks already in motion, proactive patching remains the most effective way to keep websites safe from Post SMTP’s latest vulnerability and similar zero-day threats.
