Hackers are actively targeting a severe security flaw in the Post SMTP plugin, which is used on more than 400,000 WordPress websites.
The vulnerability allows attackers to hijack administrator accounts and take full control of affected sites.
Post SMTP is a widely used plugin that improves email delivery on WordPress and replaces the default wp_mail() function with a more reliable alternative.
Details of the Vulnerability
The issue, identified as CVE-2025-11833, received a critical severity score of 9.8. It affects all plugin versions 3.6.0 and older. The vulnerability was first reported on October 11 by a researcher known as netranger to the security firm Wordfence.
According to Wordfence, the flaw exists because of missing authorization checks in the plugin’s _construct function under the PostmanEmailLogs flow. This flaw lets anyone—without logging in—view the plugin’s stored email logs.
This is especially dangerous because those logs can contain password reset links. Hackers can use those links to reset an administrator’s password and completely take over a website.
Wordfence confirmed the vulnerability on October 15 and notified the plugin’s developer, Saad Iqbal, the same day. A patch was released on October 29 with Post SMTP version 3.6.1.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
However, WordPress.org data shows that only about half of users have updated so far. This means that around 210,000 websites remain at risk.
