CVE-2025-11833 (CVSS 9.8): Critical Flaw Exposes 400,000 WordPress Sites to Unauthenticated Account Takeover

The Post SMTP plugin, used by over 400,000 WordPress sites to ensure reliable email delivery, has been found to contain a critical Missing Authorization vulnerability that can lead to complete Account Takeover.

The flaw, tracked as CVE-2025-11833 and rated with a maximum severity CVSS 9.8, allows any attacker to read sensitive emails logged by the plugin, including the highly valuable password reset links sent to administrators.

The vulnerable function, located in versions up to and including 3.6.0, fails to verify if the user requesting access has the necessary administrative privileges. This failure means unauthenticated attackers—users who are not logged in and have no privileges—can bypass the standard security model entirely.

By accessing the plugin’s email logs, the attacker can find password reset emails, which often contain a one-time link that instantly bypasses the password requirement. Clicking this link grants the attacker the ability to set a new password, resulting in a full administrative account takeover.

This type of vulnerability is one of the most severe in the WordPress ecosystem, as it is simple to exploit (low attack complexity) and leads directly to maximum site compromise.

Security researchers have already detected active exploitation attempts against vulnerable sites. The Wordfence security team reported blocking “2 attacks targeting this vulnerability in the past 24 hours,” underscoring the urgency of the threat.

Site administrators using the Post SMTP plugin must update immediately to version 3.6.1 to close this critical security gap.

Related Posts:

• SMTP Smuggling: The New Frontier in Email Spoofing
• Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• 400,000 WordPress Sites at Risk: CVE-2025-24000 in Post SMTP Plugin Allows Full Site Takeover
• PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• Microsoft Boosts Email Security with General Availability of Inbound SMTP DANE with DNSSEC

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.