A critical (CVSS 9.8) authorization flaw in the “Post SMTP” WordPress plugin, active on over 400,000 sites, is being actively exploited. The vulnerability (CVE-2025-11833) allows unauthenticated attackers to access sensitive email logs, including password reset emails, and use them to take over administrator accounts.
Business Impact
Attackers can gain full administrative control of a vulnerable website. This leads to website defacement, malware distribution, redirection to phishing sites, and theft of all user data. With over 4,500 exploitation attempts already logged, this is an active and urgent threat.
Why It Happened
The plugin failed to perform a capability check, allowing any unauthenticated user to access the email log functionality by simply visiting a specific URL. Attackers can trigger a password reset for an admin, read the reset link from the logs, and take over the site.
Recommended Executive Action
Direct all web teams to immediately update the “Post SMTP” plugin to a patched version (3.6.0 or later). Any site using a vulnerable version should be considered potentially compromised and must be inspected for malicious admin accounts or backdoors.
Hashtags: #WordPress #Vulnerability #Plugin #RCE #CyberSecurity #PatchNow #CVE #InfoSec #WebSecurity