CVE-2025-11833
published 2025-11-01CVE-2025-11833: The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.51%
98.8th percentile
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)"; flow:established,to_server; http.uri; content:"page|3d|postman_email_log"; fast_pattern; content:"view|3d|log"; content:"log_id|3d|"; http.method; content:"GET"; reference:url,www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/; reference:cve,2025-11833; classtype:web-application-attack; sid:2065685; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CVE_2025_11833, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests combine a password reset trigger with email log access: POST to /wp-login.php with action=lostpassword AND query parameters page=postman_email_log, view=log, and log_id= in the same request. ↗
- →The log_id parameter is an auto-incremented integer, making it trivially guessable/enumerable by attackers; monitor for sequential or rapid iteration over log_id values. ↗
- →Successful exploitation response body contains the strings 'your password, visit the following address:', 'key=', and the targeted username — use these as match conditions in HTTP response inspection. ↗
- →Unauthenticated GET requests to WordPress URLs containing all three query parameters — page=postman_email_log, view=log, and log_id= — are the attack signature; no authentication headers are required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjg8-w6j8-9hcc: The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data d
ghsa_unreviewed·2025-11-01
CVE-2025-11833 [CRITICAL] CWE-862 GHSA-mjg8-w6j8-9hcc: The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data d
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
VulnCheck
wpexperts post_smtp Missing Authorization
vulncheck·2025·CVSS 9.8
CVE-2025-11833 [CRITICAL] wpexperts post_smtp Missing Authorization
wpexperts post_smtp Missing Authorization
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
Affected: Saad Iqbal Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Referenc
Suricata
ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)
suricata·2025-11-06·CVSS 9.8
CVE-2025-11833 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)
ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)"; flow:established,to_server; http.uri; content:"page|3d|postman_email_log"; fast_pattern; content:"view|3d|log"; content:"log_id|3d|"; http.method; content:"GET"; reference:url,www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/; reference:cve,2025-11833; classtype:web-application-attack; sid:2065685; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CV
Nuclei
Post SMTP <= 3.6.0 - Email Log Disclosure
nuclei·CVSS 9.8
CVE-2025-11833 [CRITICAL] Post SMTP <= 3.6.0 - Email Log Disclosure
Post SMTP <= 3.6.0 - Email Log Disclosure
Post SMTP WordPress plugin <= 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in __construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication.
Template:
id: CVE-2025-11833
info:
name: Post SMTP <= 3.6.0 - Email Log Disclosure
author: Kazgangap
severity: critical
description: |
Post SMTP WordPress plugin <= 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in __construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication.
impact: |
Unauthenticated attackers can read sensitive logged emails, including password reset links, potentially leading to
Bleepingcomputer
ACF plugin bug gives hackers admin on 50,000 WordPress sites
blogs_bleepingcomputer·2026-01-20·CVSS 9.8
[CRITICAL] ACF plugin bug gives hackers admin on 50,000 WordPress sites
## ACF plugin bug gives hackers admin on 50,000 WordPress sites
## Bill Toulas
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions.
ACF Extended, currently active on 100,000 websites, is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders.
The vulnerability, tracked as CVE-2025-14533, can be leveraged for admin privileges by abusing the plugin’s ‘Insert User / Update User’ form action, in versions of ACF Extended 0.9.2.1 and earlier.
The flaw arises from the lack of enforcement of role restrictions during form-based user creation or updates,
Securelist
From cheats to exploits: Webrat spreading via GitHub
blogs_securelist·2025-12-23·CVSS 9.8
[CRITICAL] From cheats to exploits: Webrat spreading via GitHub
Table of Contents
Distribution and the malicious sample
Campaign objectives
Conclusion
Indicators of compromise
Authors
Maxim Starodubov
In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.
## Distribution and the malicious sample
In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerab
Securelist
Webrat, disguised as exploits, is spreading via GitHub repositories
blogs_securelist·2025-12-23·CVSS 9.8
[CRITICAL] Webrat, disguised as exploits, is spreading via GitHub repositories
Table of Contents
- Distribution and the malicious sample
- Campaign objectives
- Conclusion
- Indicators of compromise
Authors
- Maxim Starodubov
In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.
## Distribution and the malicious sample
In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged
Bleepingcomputer
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
blogs_bleepingcomputer·2025-11-04·CVSS 9.8
[CRITICAL] Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
## Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
## Bill Toulas
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts.
Post SMTP is a popular email delivery solution marketed as a feature-rich and more reliable replacement of the default ‘wp_mail()’ function.
On October 11, WordPress security firm Wordfence received a report from researcher ‘netranger’ about an email log disclosure issue that could be leveraged for account takeover attacks.
The issue, tracked as CVE-2025-11833, received a critical-severity score of 9.8 and impacts all versions of Post SMTP from 3.6.0 and older.
The vulnerability stems from the lack of auth
2025-11-01
Published
Exploited in the wild