CVE-2025-11833

Name of the Vulnerable Software and Affected Versions Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App versions prior to 3.6.1

Description The Post SMTP plugin for WordPress has a flaw due to a missing capability check within the construct function. This allows unauthenticated attackers to access logged emails, potentially including password reset emails with links that could lead to account takeover. Approximately 400,000 WordPress sites utilizing this plugin are potentially affected. Exploitation attempts have been observed in the wild, with over 4500 attempts blocked by Wordfence since November 1, 2025. The vulnerability allows attackers to read arbitrary logged emails sent through the Post SMTP plugin. The construct function directly displays registered email content without performing capability checks, enabling unauthorized access.

Recommendations Versions prior to 3.6.1 should be updated to version 3.6.1 or later.