Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin, which is installed on over 400,000 WordPress websites, to hijack administrator accounts and take complete control of sites.
The security flaw allows unauthenticated attackers to read sensitive email logs, including password reset messages, providing a direct path to full site compromise.
The significance of this vulnerability cannot be overstated. The flaw allows attackers with no prior access to a website to seize full administrative privileges.
With data showing that hundreds of thousands of sites remain unpatched, a large and immediate window of opportunity exists for widespread attacks, putting site integrity, user data, and business operations at severe risk.
A Critical Flaw with a 9.8 Severity Score
The vulnerability is officially tracked as CVE-2025-11833 and has been assigned a critical CVSS severity score of 9.8 out of 10, indicating a highly severe risk. This flaw is not an isolated incident; it follows a similar authorization bypass vulnerability (CVE-2025-24000) discovered by security firm PatchStack in July, establishing a troubling pattern of security issues for the plugin.
The flaw affects all versions of the Post SMTP plugin up to and including version 3.6.0. In response, the developer has released a security patch in version 3.6.1. However, the scale of the problem remains immense.
While the plugin is used on more than 400,000 websites, current data indicates that at least 210,000 sites have not been updated and remain exposed to these ongoing attacks.
The Two-Step Attack to Site Takeover
Understanding the attack vector reveals how a relatively simple programming oversight can lead to a catastrophic security breach. The root cause is a missing authorization check within the _construct function of the plugin’s PostmanEmailLogs class.
This function, responsible for rendering logged email content, fails to verify if the user has the proper permissions, allowing attackers to view sensitive logs by manipulating URL parameters like log_id.
This oversight enables a straightforward two-step attack:
- First, an unauthenticated attacker initiates a standard password reset for a site’s administrator account.
- Second, the attacker leverages the vulnerability to directly access the plugin’s email logs, where they can view the password reset email, copy the reset link, and use it to change the administrator’s password.
The outcome of this exploit is a complete site takeover. Once attackers gain administrative privileges, they can compromise the entire website by modifying content, stealing data, or uploading malicious backdoors.
From Discovery to Widespread Exploitation
The timeline of this vulnerability highlights the rapid progression from discovery to active, widespread exploitation, underscoring the critical need for administrators to apply security patches immediately.
The key events unfolded over just a few weeks:
- October 11, 2025: Security researcher ‘netranger’ discovered the flaw and responsibly reported it to the security firm Wordfence, earning a $7,800 bounty for the critical finding.
- October 15, 2025: Wordfence validated the exploit and disclosed the vulnerability to the plugin’s vendor, Saad Iqbal of The WP Experts development team.
- October 29, 2025: The developer responded by releasing a patch in Post SMTP version 3.6.1.
- November 1, 2025: Despite the available patch, threat actors began actively exploiting the vulnerability in the wild.
The active exploitation is not theoretical; Wordfence confirmed it has already blocked over 4,500 exploit attempts targeting this specific flaw.
Experts Warn Patch is Incomplete
While the official patch is crucial for blocking the immediate unauthenticated attack, security experts warn it is more of a “band-aid” than a comprehensive solution. The fix fails to address the underlying data handling issue, leaving a secondary risk that site owners must understand.
According to researcher Ysrael Gurt of Reflectiz, the patch in version 3.6.1 does not fully resolve the core problem. Gurt identified two primary concerns:
- Incomplete Data Protection: The fix does not prevent password reset emails from being stored in the logs. These sensitive emails remain accessible to any user with low-level privileges, such as a subscriber, who has permission to view the logs.
- Predictable Log IDs: The log ID is an auto-incrementing number, which makes it simple for an attacker with any level of site access to guess the ID of a recent email and view its contents.
Given the active exploitation and the noted limitations of the patch, the guidance from security professionals is clear. All website owners using the Post SMTP plugin must update to version 3.6.1 immediately or, if unable to do so, disable the plugin entirely to protect their sites from these ongoing takeover attacks.
Plugin Vulnerability 
