CVE-2025-11833 (CVSS 9.8): Critical Flaw Exposes 400,000 WordPress Sites to Unauthenticated Account Takeover

The Post SMTP plugin, used by over 400,000 WordPress sites to ensure reliable email delivery, has been found to contain a critical Missing Authorization vulnerability that can lead to complete Account Takeover.

The flaw, tracked as CVE-2025-11833 and rated with a maximum severity CVSS 9.8, allows any attacker to read sensitive emails logged by the plugin, including the highly valuable password reset links sent to administrators.

The vulnerable function, located in versions up to and including 3.6.0, fails to verify if the user requesting access has the necessary administrative privileges. This failure means unauthenticated attackers—users who are not logged in and have no privileges—can bypass the standard security model entirely.

By accessing the plugin’s email logs, the attacker can find password reset emails, which often contain a one-time link that instantly bypasses the password requirement. Clicking this link grants the attacker the ability to set a new password, resulting in a full administrative account takeover.

This type of vulnerability is one of the most severe in the WordPress ecosystem, as it is simple to exploit (low attack complexity) and leads directly to maximum site compromise.

Security researchers have already detected active exploitation attempts against vulnerable sites. The Wordfence security team reported blocking “2 attacks targeting this vulnerability in the past 24 hours,” underscoring the urgency of the threat.

Site administrators using the Post SMTP plugin must update immediately to version 3.6.1 to close this critical security gap.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply