Unauthorized Data Access in Post SMTP Plugin for WordPress
CVE-2025-11833
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 November 2025
Badges
What is CVE-2025-11833?
The Post SMTP plugin for WordPress is vulnerable due to a lack of capability checks within its __construct function, allowing unauthorized users to access logged emails. This vulnerability affects all versions up to and including 3.6.0, enabling malicious actors to retrieve sensitive information, such as password reset emails. Such exposure can lead to severe consequences, including potential account takeover risks for users.
Affected Version(s)
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App * <= 3.6.0
News Articles
Site Takeover Flaw Affects 400K WordPress Sites
Attackers are already targeting a vulnerability in the Post SMTP plug-in that allows them to fully compromise an account and website.
3 weeks ago
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts.
3 weeks ago
References
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved