Attackers are actively targeting WordPress sites via a critical vulnerability, CVE-2025-11833, in the widely used Post SMTP plugin (over 400,000 installs). The flaw enables unauthenticated access to email logs, allowing adversaries to harvest password-reset links and seize administrator accounts, resulting in full site compromise.
WordPress exploitation timeline and exposure
The issue was reported by researcher netranger on October 11. On October 15, the plugin developer was notified by Wordfence, and a patch shipped on October 29 in version 3.6.1. WordPress.org data indicates only about half of installations had updated shortly after release, leaving an estimated ~200,000 sites exposed to attack.
Technical analysis: why CVE-2025-11833 is high risk
The vulnerability resides in the plugin’s logging component (PostmanEmailLogs) and stems from missing authorization checks when invoking the class constructor. As a result, email log contents can be requested without authentication. This is a classic case of Insecure Direct Object Reference (IDOR), a broken access control flaw that leads to confidential data exposure.
Email logs commonly contain password-reset notifications with one-time reset URLs. An attacker who retrieves such a link can immediately change the admin password and take over the site. All versions prior to 3.6.1 (including 3.6.0) are affected; the fix is included in 3.6.1. The vulnerability is rated CVSS 9.8, reflecting its critical impact and ease of exploitation.
Evidence of in-the-wild attacks
According to Wordfence telemetry, the first exploitation attempts were observed on November 1. In recent days, more than 4,500 attacks have been blocked across Wordfence-protected sites. Given Wordfence’s partial visibility into the broader WordPress ecosystem, the true volume of attempts is likely in the tens of thousands.
Immediate mitigation for WordPress administrators
Patch and containment
Update Post SMTP to 3.6.1 or later without delay. If immediate patching is not possible, disable the plugin as a temporary containment measure, particularly if your login endpoints are publicly accessible.
Credential hygiene and monitoring
Reset passwords and tokens for administrators, editors, and SMTP integrations, and enable two-factor authentication (2FA) for all admin accounts. Review logs for unauthorized access, unexpected password resets, new admin creations, and changes to email or site URL settings.
Hardening steps to reduce attack surface
– Restrict access to /wp-admin/ and /wp-login.php by IP allowlisting, enforce Web Application Firewall (WAF) rules from your security provider, and apply rate limiting on login attempts.
– Minimize or disable email logging where not operationally required, and ensure any retained logs are not publicly accessible.
– Conduct a plugin inventory: remove unused components, keep active plugins/themes updated, and enable auto-updates for critical dependencies.
Security context: recurring access control flaws in Post SMTP
This is the second major issue in Post SMTP in recent months. In July 2025, PatchStack disclosed CVE-2025-24000, a related flaw that also exposed mail logs and password-reset links, even to low-privileged users. The recurrence indicates gaps in secure development lifecycle (SDLC) controls and underscores the need for a thorough review of authorization logic and log handling within the plugin.
WordPress remains a high-value target due to its large footprint and plugin diversity. To lower breach risk, prioritize timely updates, enforce 2FA, restrict administrative interfaces, and deploy a WAF. If your site uses Post SMTP and is not yet on 3.6.1+, act now: apply the patch, audit logs, rotate passwords and tokens, and strengthen access controls. Proactive maintenance and layered defenses are the most effective countermeasures against rapidly evolving mass exploitation.
