A critical vulnerability in the Post SMTP WordPress plugin allows unauthenticated attackers to read logged emails and potentially take over website accounts, including administrators. Immediate updates to version 3.6.1 are crucial as active exploitation has begun, impacting hundreds of thousands of sites. #PostSMTP #WordPressVulnerability
Keypoints
- The vulnerability affects Post SMTP versions up to 3.6.0, allowing unauthorized email access.
- Attackers can read password reset emails and hijack user accounts, including admin accounts.
- The flaw was reported as CVE-2025-11833 and fixed in version 3.6.1 released on October 29.
- Exploitation started within days after the patch, with over 4,500 attacks blocked by Defiant.
- Approximately 200,000 websites remain at risk due to the plugin’s widespread use.
Read More: https://www.securityweek.com/exploited-post-smtp-plugin-flaw-exposes-wordpress-sites-to-takeover/