Over 4,500 exploitation attempts already blocked as attackers target critical flaw allowing password reset hijacking
A severe security vulnerability in the Post SMTP WordPress plugin has left more than 400,000 websites exposed to potential account takeover attacks. The flaw, discovered in mid-October 2025, allows unauthenticated attackers to access password reset emails and gain administrative control of vulnerable sites.
Disclosed through Wordfence’s bounty program by a security engineer, the vulnerability affects Post SMTP, a popular plugin used to improve WordPress email delivery through SMTP configuration and email logging capabilities. The critical flaw, assigned CVE-2025-11833 with a critical CVSS score of 9.8, exists in Post SMTP versions 3.6.0 and earlier. According to Wordfence, attackers began actively exploiting this vulnerability as early as November 1, 2025, with over 4,500 attack attempts already blocked by their security systems.
The security flaw stems from a missing authorization check in the plugin’s email logging feature. Specifically, the PostmanEmailLogs class constructor lacks proper capability verification, allowing anyone—even unauthenticated users—to view logged emails simply by manipulating URL parameters.
An attack chain could include:
- Attacker triggers a password reset for any user account on the target site, including administrator accounts
- WordPress sends a password reset email containing a secure reset link
- Attacker accesses the email log without authentication through the vulnerable plugin
- Attacker retrieves the password reset link from the logged email
- Attacker uses the link to reset the password and gain complete account access
Once an attacker obtains administrative access, they can upload malicious plugins or themes, modify website content, redirect visitors to malicious sites, or install backdoors for persistent access.
If you’re running a WordPress site with Post SMTP installed:
Update to Post SMTP version 3.6.1 or later through your WordPress dashboard as soon as possible.
After updating, review your site’s user accounts for any suspicious activity or unauthorized administrator accounts and check for recently modified files, especially in your plugins and themes directories. If possible, check whether unauthorized parties accessed your email logs during the vulnerability window.
Implement security systems such as the Wordfence security plugin, two-factor authentication and regular review and updating of dependent applications and services. Any feature that stores sensitive data requires robust access controls. And top plugins or apps don’t always mean secure and could still be immune to security flaws.
For more technical details about this vulnerability including the specific code analysis, visit Wordfence’s advisory here.
Leave a Reply