A essential safety flaw within the WordPress Put up SMTP plugin has left greater than 400,000 web sites weak to account takeover assaults.
The vulnerability, recognized as CVE-2025-11833, permits unauthenticated attackers to entry e-mail logs containing delicate password reset info, doubtlessly compromising administrator accounts and full web sites.
The flaw stems from a lacking authorization verify within the plugin’s core performance, permitting risk actors to take advantage of logged e-mail information with out requiring any authentication credentials.
The Put up SMTP plugin, designed to interchange WordPress’s default PHP mail operate with SMTP mailers, contains an e-mail logging function that inadvertently exposes essential safety info.
Since November 1, 2025, attackers have actively focused this vulnerability, with over 4,500 exploitation makes an attempt already blocked by safety techniques.
The widespread use of this plugin throughout tons of of hundreds of WordPress installations has created a major assault floor for cybercriminals searching for unauthorized entry to web sites.
Wordfence researchers recognized the vulnerability by means of their Bug Bounty Program on October 11, 2025, simply sooner or later after its introduction.
Safety researcher netranger found and responsibly reported the flaw, incomes a bounty of $7,800 for the essential discovering.
The WP Consultants improvement group responded swiftly to disclosure, releasing patch model 3.6.1 on October 29, 2025, to handle the safety hole affecting all variations as much as and together with 3.6.0.
The vulnerability carries a CVSS rating of 9.8, inserting it within the essential severity class. Web site directors should instantly replace to model 3.6.1 to guard their installations from ongoing exploitation makes an attempt.
Wordfence Premium customers obtained firewall safety on October 15, 2025, whereas free model customers will obtain the identical safeguards by November 14, 2025.
Technical Exploitation Mechanism
The vulnerability resides throughout the PostmanEmailLogs class constructor, which shows logged e-mail messages with out performing functionality checks on the __construct operate.
Attackers can exploit this weak spot by manipulating URL parameters to entry arbitrary e-mail logs by means of the plugin’s interface.
Vulnerability Particulars:-
ParameterDetailsCVE IDCVE-2025-11833CVSS Score9.8 (Crucial)Vulnerability TypeMissing Authorization to Account Takeover through Unauthenticated E-mail Log DisclosureAffected PluginPost SMTP – Full SMTP Resolution with Logs, Alerts, Backup SMTP & Cell AppAffected VersionsAll variations Patched Version3.6.1Active Installations400,000+Discovery DateOctober 11, 2025Patch Launch DateOctober 29, 2025Researchernetranger (Wordfence Bug Bounty Program)Bounty Awarded$7,800.00Exploitation StatusActive (4,500+ assaults blocked as of November 1, 2025)
The weak code accepts GET requests with particular parameters together with web page, view, and log_id, permitting unauthorized customers to retrieve saved e-mail content material straight from the database.
public operate __construct() {
international $wpdb;
$this->db = $wpdb;
$this->logger = new PostmanLogger( get_class( $this ) );
//Render Message physique in iframe
if(
isset( $_GET[‘page’] ) && $_GET[‘page’] == ‘postman_email_log’
&&
isset( $_GET[‘view’] ) && $_GET[‘view’] == ‘log’
&&
isset( $_GET[‘log_id’] ) && !empty( $_GET[‘log_id’] )
) {
$id = sanitize_text_field( $_GET[‘log_id’] );
$email_query_log = new PostmanEmailQueryLog();
$log = $email_query_log->get_log( $id, ” );
echo ( isset ( $header ) && strpos( $header, “textual content/html” ) );
die;
}
}
The exploitation course of includes attackers triggering password reset requests for administrator accounts, then accessing the logged reset emails containing password reset hyperlinks by means of the unprotected interface.
This two-step assault vector permits full web site takeover, granting malicious actors full administrative privileges to add backdoors, modify content material, and redirect customers to malicious locations.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
