High

A critical flaw (CVE-2025-11833, CVSS high) in the popular Post SMTP WordPress plugin exposed email logs on more than 400,000 sites, allowing unauthenticated attackers to read stored messages that can contain password-reset links. The vulnerability was discovered by researcher via Wordfence’s bug bounty program on October 11, 2025; WP Experts released a patch (v3.6.1) on October 29, 2025 to fix all versions ≤ 3.6.0. Wordfence issued firewall rules to Premium users on October 15, 2025, with free users receiving protections by November 14, 2025; despite these mitigations, active exploitation attempts were observed after November 1, 2025, with 4,500+ blocks reported.

The root cause is a missing authorization check inside the plugin’s PostmanEmailLogs constructor: the code responds to unauthenticated GET requests (using parameters page=postman_email_log, view=log, and log_id) and renders email bodies without verifying user capabilities. Because the plugin logs outbound email (including password resets), attackers can trigger a password reset for an admin account and then fetch the logged reset message through the unprotected interface. That two-step sequence (trigger reset → read reset email) allows a full account takeover and ultimately complete website compromise—uploading web shells, modifying content, or redirecting users.

From a risk perspective this is high-impact and trivially exploitable on unpatched installs: the wide deployment of the plugin creates a large attack surface, the vulnerability is unauthenticated, and the email-log content often includes the exact information needed to hijack administrator accounts. The disclosure timeline and rapid patching were appropriate, but sites that delayed updating or rely on older backups remain at risk. Detection and prevention are possible (firewall rules, WAF signatures, and monitoring) but the fastest and most reliable mitigation is applying the vendor patch.

Immediate recommended actions: update Post SMTP to v3.6.1 right away; if you cannot update immediately, disable the plugin’s email logging feature or block access to the plugin admin endpoints with a WAF or webserver rules; force password resets for administrator accounts and rotate any exposed credentials; review access logs and installed files for signs of compromise (unauthorized admin logins, new admin users, webshells); revoke stale sessions and API keys; and monitor for indicators of exploitation. Finally, prioritize recovery steps (restore from known-good backups if compromise is confirmed) and apply regular patching and least-privilege controls to avoid similar exposures.