The Post SMTP plugin, a widely adopted WordPress email delivery tool designed as a robust replacement for the default wp_mail() function, has become the latest target of cybercriminals. The flaw—tracked as CVE-2025-11833—has been rated critical (9.8 severity score) by Wordfence and affects all versions up to 3.6.0.
Researcher ‘netranger’ initially reported the vulnerability to Wordfence on October 11, describing it as an email log disclosure issue that could be chained into account takeover attacks. The issue arises due to missing authorization checks in the plugin’s _construct function within the PostmanEmailLogs flow. This oversight allows unauthenticated attackers to access sensitive email logs, including password reset messages.
How the Exploit Works: Password Resets Without Access
According to Wordfence’s investigation, the plugin’s constructor function renders email log content directly when queried—without verifying user capabilities or permissions. As a result, any unauthenticated actor can read stored messages and retrieve password reset links belonging to site administrators.
With these reset URLs, attackers can reset administrator passwords, gain full control of the WordPress dashboard, and compromise entire websites. In essence, this bug bypasses the need for brute-force or phishing methods, giving attackers direct access to the heart of a website.
Timeline: Discovery to Exploitation
Wordfence validated the exploit on October 15 and promptly notified the plugin’s developer, Saad Iqbal, the same day. A fix was issued with Post SMTP version 3.6.1 on October 29.
However, data from WordPress.org shows that less than half of all users have updated, leaving over 210,000 websites still exposed. By November 1, Wordfence observed active exploitation attempts, blocking more than 4,500 attacks targeting vulnerable installations.
Given the scale and ease of exploitation, security researchers strongly advise users to immediately update to version 3.6.1 or temporarily disable the plugin until they can apply the patch.
Recurring Pattern of Flaws in Post SMTP
This is not the first time the plugin has come under scrutiny. In July 2025, security firm PatchStack disclosed another serious issue—CVE-2025-24000—that allowed attackers to read complete email messages even with subscriber-level access.
That earlier vulnerability had similar consequences: the ability to intercept password resets and perform unauthorized account takeovers. The recurrence of such high-impact flaws suggests ongoing issues in access control and input validation within the plugin’s codebase.
Urgent Advisory for WordPress Administrators
With hackers now actively exploiting CVE-2025-11833, experts warn that WordPress site owners cannot afford to delay. Updating to the patched version is the only effective mitigation.
Administrators should also revoke existing password reset links, review admin user activity, and enable two-factor authentication (2FA) where possible. Web security teams are emphasizing continuous monitoring of log files and plugin integrity to detect signs of compromise early.
As WordPress remains the backbone of millions of websites worldwide, the Post SMTP incident underscores a familiar truth: even a single outdated plugin can become a gateway to total site compromise.
