Wordpress Post Smtp Plugin Vulnerability Exposes 400,000 Websites...

A critical security flaw in the WordPress Post SMTP plugin has left more than 400,000 websites vulnerable to account takeover attacks.

The vulnerability, identified as CVE-2025-11833, enables unauthenticated attackers to access email logs containing sensitive password reset information, potentially compromising administrator accounts and entire websites.

The flaw stems from a missing authorization check in the plugin’s core functionality, allowing threat actors to exploit logged email data without requiring any authentication credentials.

The Post SMTP plugin, designed to replace WordPress’s default PHP mail function with SMTP mailers, includes an email logging feature that inadvertently exposes critical security information.

Since November 1, 2025, attackers have actively targeted this vulnerability, with over 4,500 exploitation attempts already blocked by security systems.

The widespread use of this plugin across hundreds of thousands of WordPress installations has created a significant attack surface for cybercriminals seeking unauthorized access to websites.

Wordfence researchers identified the vulnerability through their Bug Bounty Program on October 11, 2025, just one day after its introduction.

Security researcher netranger discovered and responsibly reported the flaw, earning a bounty of $7,800 for the critical finding.

The WP Experts development team responded swiftly to disclosure, releasing patch version 3.6.1 on October 29, 2025, to address the security gap affecting all versions up to and including 3.6.0.

The vulnerability carries a CVSS score of 9.8, placing it in the critical severity category. Site administrators must immediately update to version 3.6.1 to protect their installations from ongoing exploitation attempts.