Get Started
CVE July 10, 2026 5 min read

CVE-2025-11833: Unauthenticated Account Takeover in Post SMTP Plugin Actively Exploited (400,000+ Sites, CVSS 9.8)

A critical missing-authorization flaw (CVE-2025-11833, CVSS 9.8) in the Post SMTP plugin lets unauthenticated attackers read logged emails - including password reset links - and hijack admin accounts on 400,000+ WordPress sites. The bug is being actively exploited; update to version 3.6.1 immediately.

A critical vulnerability in one of WordPress’s most popular email plugins is being actively exploited to hijack administrator accounts. Tracked as CVE-2025-11833, the flaw affects the Post SMTP plugin, which is installed on more than 400,000 WordPress sites. Because the vulnerability requires no login and no user interaction, and because working attacks are already circulating, this is one of the more urgent WordPress issues of late 2025. If you run Post SMTP, updating to version 3.6.1 or later should be treated as an emergency task.

In this post we break down exactly what the vulnerability is, how attackers turn a “read my email logs” bug into a full site takeover, how to tell whether your site is exposed, and the steps to fix and harden it.

CVE Details at a Glance

  • CVE ID: CVE-2025-11833
  • Plugin: Post SMTP (also listed as “Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App”)
  • Active installations: 400,000+
  • Vulnerability type: Missing Authorization / Broken Access Control (CWE-862)
  • CVSS 3.1 score: 9.8 (Critical) — vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Authentication required: None (unauthenticated)
  • Affected versions: All versions up to and including 3.6.0
  • Patched version: 3.6.1 (released October 29, 2025)
  • Discovered by: Researcher “netranger”, reported through Wordfence

A CVSS score of 9.8 sits at the very top of the severity scale. The reason is the combination of factors in the vector: the attack can be launched over the network (AV:N), it is low complexity (AC:L), it needs no privileges (PR:N) and no user interaction (UI:N), and it fully compromises confidentiality, integrity, and availability (C:H/I:H/A:H). In plain terms: anyone on the internet can run it, and if it succeeds they own your site.

What Post SMTP Does

WordPress’s built-in email function is notoriously unreliable — messages frequently land in spam or never arrive. Post SMTP solves this by routing your site’s outgoing mail through a proper SMTP service or API. As part of that job it keeps an email log: a record of every message the site sends, including the full body of each email. That logging feature is convenient for troubleshooting delivery problems, but it also means the plugin stores a copy of sensitive messages — including password reset emails — in your database.

How the Vulnerability Works

The flaw comes down to a missing permission check. In vulnerable versions, the code that handles email log data (in the PostmanEmailLogs component) failed to verify who was making the request. Specifically, the __construct function that wires up the log-viewing functionality did not include a capability check to confirm the requester was an authorized administrator.

Normally, viewing email logs is an admin-only feature. But because the authorization check was absent, an unauthenticated visitor — someone with no account on the site at all — could reach the log functionality and read the contents of logged emails. This is a textbook example of what security professionals call Broken Access Control: the feature exists and is meant to be restricted, but the code never actually enforces the restriction.

On its own, “an attacker can read your email logs” already sounds bad. What makes it catastrophic is the chain that follows.

From Email Logs to Full Admin Takeover

Here is the attack sequence that turns a data-disclosure bug into a complete compromise:

  1. The attacker goes to the WordPress login page and clicks “Lost your password?”, entering the administrator’s username or email address (often admin, or a name that is easy to enumerate).
  2. WordPress generates a password reset email containing a one-time reset link and sends it to the administrator. Because Post SMTP is handling mail, a full copy of that email — reset link included — is written to the plugin’s email log.
  3. The attacker exploits CVE-2025-11833 to read the email log without logging in, and pulls the password reset link straight out of the logged message.
  4. The attacker opens the reset link, sets a new password for the administrator account, and logs in as a full admin.

At that point the attacker has the keys to the entire site. All they needed was the site’s URL. No credentials, no phishing, no social engineering — just a reset request and a peek at the logs.

Real-World Impact

This is not a theoretical risk. According to Wordfence telemetry, exploitation attempts began appearing around November 1, 2025, within days of the vulnerability becoming public, and thousands of attacks were blocked across protected sites in the first week alone. CISA’s own assessment flagged the flaw as “automatable” with “total” technical impact — meaning it is well suited to mass, scripted attacks against every exposed site at once.

Once an attacker holds an administrator account, the damage they can do is effectively unlimited. They can install malicious plugins or themes to plant a persistent backdoor, inject spam or SEO redirect code, add rogue admin users so they keep access even after you change passwords, steal customer and order data from WooCommerce stores, deface the site, or use it as a launchpad to attack your visitors. Recovering from a full compromise is far more expensive and stressful than applying an update.

How to Check If You’re Affected

  • Log in to your WordPress dashboard and go to Plugins > Installed Plugins.
  • Look for Post SMTP in the list. If it is not installed, you are not affected by this specific vulnerability.
  • If it is installed, check the version number shown beneath the plugin name. Any version 3.6.0 or lower is vulnerable.
  • Version 3.6.1 or higher contains the fix.

If you have been running a vulnerable version while exposed to the internet, treat the site as potentially compromised. Review your user list under Users > All Users for any administrator account you do not recognize, and check for unexpected plugins or recently modified files.

How to Fix It

  1. Update immediately. Go to Plugins > Installed Plugins, find Post SMTP, and click “Update now” to move to version 3.6.1 or later. If you can, take a quick backup first, but do not let backup logistics delay the update.
  2. If you cannot update right away, deactivate the plugin. An inactive plugin cannot serve the vulnerable functionality. You can re-enable it after updating.
  3. Rotate credentials. After patching, change the passwords for all administrator accounts, and consider forcing a password reset for other privileged users.
  4. Audit your users and email logs. Remove any unfamiliar admin accounts and clear old email logs that may contain sensitive reset links.

A few extra hardening steps reduce your exposure to this whole class of bug: enable auto-updates for plugins so critical patches land without you watching the clock; add two-factor authentication so a stolen password alone is not enough to log in; and run a firewall or security plugin that can virtually patch known vulnerabilities and block exploit attempts before they reach the flawed code.

The Takeaway

CVE-2025-11833 is a reminder that a “minor” information leak is rarely minor. A missing one-line permission check let unauthenticated attackers read email logs, and email logs contained the exact ingredient — a password reset link — needed to take over the site. The plugin was doing its job well; it simply forgot to ask “are you allowed to see this?”

The defensive lesson is the same one that protects against most WordPress incidents: keep everything updated, minimize the plugins you run, use strong authentication, and layer on monitoring so that when a critical flaw like this appears, you find out and act before an attacker does. Update Post SMTP to 3.6.1 today, and make timely patching a habit rather than an emergency.

Related Articles