Full Report
A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web. The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites. Researchers have already documented over 4,500 exploitation […] The post Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Critical Authorization Bypass in Post SMTP WordPress Plugin Leading to Account Takeover
## CVE Details
- CVE ID: CVE-2025-11833
- CVSS Score: 9.8 (Critical)
- CWE: Missing Authorization (Inferred from description of missing capability check)
## Affected Systems
- Products: Post SMTP WordPress Plugin
- Versions: 3.6.0 and earlier
- Configurations: Standard WordPress installations utilizing the Post SMTP plugin.
## Vulnerability Description
The vulnerability resides in the `PostmanEmailLogs` class constructor within the Post SMTP plugin. It suffers from a critical missing capability check. This flaw allows unauthenticated attackers to bypass authorization checks and directly access the plugin's email logging functionality simply by navigating to the appropriate URLs. By accessing these logs, an attacker can intercept sensitive information, notably email content such as password reset links sent to administrator accounts, which can then be immediately used to execute a full account takeover.
## Exploitation
- Status: Exploited in the wild (Documented over 4,500 exploitation attempts since Nov 1st, 2025)
- Complexity: Low (Unauthenticated, direct URL access)
- Attack Vector: Network
## Impact
- Confidentiality: High (Exposure of sensitive email logs, including password reset links)
- Integrity: High (Ability to execute account takeover, leading to full site manipulation)
- Availability: Medium (Potential for disruption following successful compromise)
## Remediation
### Patches
- **Post SMTP version 3.6.1** and later addresses the authorization bypass by implementing the necessary capability checks. Site administrators must update immediately.
### Workarounds
1. **Immediate Patching:** Since the vulnerability is actively exploited, manual patching (updating to 3.6.1 or newer) is the primary workaround if automated security solutions are not in place.
2. **Web Application Firewall (WAF):** Users without immediate update capability should ensure their WAF is configured to block suspicious requests targeting the plugin's log endpoints (Note: Wordfence implemented specific rules on Oct 15th, 2025, for paying customers).
## Detection
- **Indicators of Compromise (IOCs):** Look for anomalous requests to the Post SMTP email log endpoints originating from external, unauthenticated IP addresses.
- **Detection Methods and Tools:** Use security monitoring solutions (like WAFs or IDS) to monitor for access patterns indicative of log enumeration or traversal attempts targeting the plugin's log functionality path.
## References
- Wordfence Blog Advisory: hXXps://www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/