Cybercriminals are exploiting a critical vulnerability in the Post SMTP plugin for WordPress, affecting over 400,000 sites and enabling complete administrator account hijacking. Immediate updates or disabling the plugin are essential to prevent full site compromise. #CVE-2025-11833 #Wordfence
Keypoints
- The vulnerability CVE-2025-11833 allows unauthorized access to logged email data in Post SMTP.
- Hackers have been actively exploiting this flaw since November 1, leading to over 4,500 blocked attempts.
- The issue impacts all versions of Post SMTP up to 3.6.0, which lacks proper authorization checks in its constructor.
- Applying the patch in version 3.6.1 is crucial to mitigate the risk of account takeover and site compromise.
- A prior vulnerability, CVE-2025-24000, also allowed unauthorized access to email logs and could lead to similar exploits.