Full Report
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts. [...]
Analysis Summary
# Vulnerability: Post SMTP Plugin Unauthenticated Account Takeover via Log Disclosure
## CVE Details
- CVE ID: CVE-2025-11833
- CVSS Score: 9.8 (Critical)
- CWE: Missing Authorization (Implied, based on lack of authorization checks)
## Affected Systems
- Products: Post SMTP WordPress Plugin
- Versions: 3.6.0 and older
- Configurations: Installation on any WordPress site.
## Vulnerability Description
The vulnerability exists within the `_construct` function of the plugin’s `PostmanEmailLogs` flow. This critical flaw involves a lack of proper authorization checks when rendering logged email content. Unauthenticated attackers can directly request and read arbitrary logged emails. This exposure is critical because these logs can contain sensitive data, such as password reset links intended for administrators, enabling attackers to hijack administrator accounts and gain complete control over the WordPress site.
## Exploitation
- Status: Exploited in the wild (Active exploitation started November 1, 2025)
- Complexity: Low (Based on successful mass exploitation attempts reported)
- Attack Vector: Network
## Impact
- Confidentiality: High (Exposure of sensitive information like password reset links)
- Integrity: High (Enables unauthorized modification of user accounts, leading to full site compromise)
- Availability: High (Site takeover results in complete loss of control)
## Remediation
### Patches
- Upgrade Post SMTP to version **3.6.1** or later.
### Workarounds
- Immediately disable the Post SMTP plugin until patching can be completed.
## Detection
- **Indicators of Compromise (IOCs):** Monitor for unusual administrative account activity, unexpected password resets originating from the application, or indicators showing unauthorized access to email log functionality (if logged by WAF/security systems).
- **Detection Methods and Tools:** Utilize security scanners or WAFs configured to detect attempts to access endpoints related to email logging without session credentials or appropriate permissions.
## References
- Vendor Advisory: Patch released in Post SMTP version 3.6.1 (Date: October 29, 2025)
- Research Detail: hxxps://www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/
- Related Flaw Note: CVE-2025-24000 (Earlier flaw with similar repercussions)