Hundreds of thousands of websites may be exposed to account takeover attacks due to a critical-severity vulnerability in the email delivery WordPress plugin Post SMTP, Defiant warns.
A WordPress plugin with more than 400,000 active installations, Post SMTP was designed to replace a website’s default PHP mail function with an SMTP one. It provides various features, including email logging capabilities.
Post SMTP versions up to 3.6.0 lack a capability check in a specific function, thus allowing unauthenticated attackers to read arbitrary logged emails sent using the plugin.
Because the attacker can read password reset emails sent via Post SMTP, they can take over any account on the website, including administrative accounts.
“This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account,” Defiant notes.
The vulnerability is tracked as CVE-2025-11833 (CVSS score of 9.8) and was resolved in Post SMTP version 3.6.1, on October 29.
According to Defiant, in-the-wild exploitation of the security defect started roughly three days after patches were released. The WordPress security firm has blocked over 4,500 attacks to date.
“We urge users to update their sites with the latest patched version of Post SMTP, version 3.6.1 at the time of this publication as soon as possible as active exploitation has already started and we expect the campaign to pick up soon,” Defiant notes.
Based on WordPress’s statistics, Post SMTP was downloaded less than 200,000 times over the past seven days, which suggests that roughly 200,000 websites are potentially exposed to takeover because of the bug.
The flaw was reported by a researcher named Netranger via the Wordfence Bug Bounty Program. The researcher was awarded a $7,800 bug bounty for the discovery.
Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites
Related: Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations
Related: Hackers Inject Malware Into Gravity Forms WordPress Plugin
Related: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover
