cbcvebase.
CVE-2025-11833
published 2025-11-01

CVE-2025-11833: The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.51%
98.8th percentile
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Detection & IOCsextracted from sources · hover to see the quote

path/wp-login.php?action=lostpassword&page=postman_email_log&view=log&log_id=
path/wp-content/plugins/post-smtp
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833)"; flow:established,to_server; http.uri; content:"page|3d|postman_email_log"; fast_pattern; content:"view|3d|log"; content:"log_id|3d|"; http.method; content:"GET"; reference:url,www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/; reference:cve,2025-11833; classtype:web-application-attack; sid:2065685; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CVE_2025_11833, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests combine a password reset trigger with email log access: POST to /wp-login.php with action=lostpassword AND query parameters page=postman_email_log, view=log, and log_id= in the same request.
  • The log_id parameter is an auto-incremented integer, making it trivially guessable/enumerable by attackers; monitor for sequential or rapid iteration over log_id values.
  • Successful exploitation response body contains the strings 'your password, visit the following address:', 'key=', and the targeted username — use these as match conditions in HTTP response inspection.
  • Unauthenticated GET requests to WordPress URLs containing all three query parameters — page=postman_email_log, view=log, and log_id= — are the attack signature; no authentication headers are required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.