A critical vulnerability in the popular Post SMTP WordPress plugin is being actively exploited by hackers to hijack administrator accounts and seize control of websites. The flaw, tracked as CVE-2025-11833, has a severity rating of 9.8 and stems from a lack of authorization checks in the plugin's email log function. This allows unauthenticated attackers to access logged emails, including password reset messages containing links that can be used to change an admin's password.
The vulnerability affects all Post SMTP versions from 3.6.0 and older, impacting over 400,000 installations. Although a patched version (3.6.1) was released on October 29, approximately 210,000 sites remain vulnerable. Since November 1, security firms have blocked thousands of exploitation attempts targeting this flaw.
This is the second major vulnerability discovered in the plugin this year, following a similar issue (CVE-2025-24000) disclosed in July. Website administrators are urged to immediately update to the latest version of Post SMTP or disable the plugin if an update is not feasible. The ongoing attacks highlight the significant risk posed by unpatched plugins in the WordPress ecosystem.
Read more...