A serious security flaw has been discovered in the popular WordPress plugin Post SMTP, which is used by more than 400,000 websites. The vulnerability allows attackers to take over WordPress accounts, including administrator accounts, without authentication.
According to Wordfence, the issue was found in the Post SMTP plugin versions 3.6.0 and earlier. The plugin’s code does not properly check user permissions, which makes it possible for anyone to view the email logs stored by the plugin. These logs can include sensitive information like password reset emails.
An attacker can use this flaw to read the reset link from the email log and change the password of any user. Once they reset the password of an administrator, they gain full control over the website. After that, they can install malicious plugins or themes, change site content, and redirect visitors to harmful websites.
The vulnerability, identified as CVE-2025-11833, was reported to Wordfence on October 11, 2025, by security researcher netranger through the Wordfence Bug Bounty Program. The researcher earned a $7,800 reward for the discovery.
Wordfence quickly confirmed the issue and released a firewall rule to protect Wordfence Premium, Care, and Response users on October 15, 2025. The vendor, WP Experts, also responded promptly and released the patched version 3.6.1 on October 29, 2025. Users of the free version of Wordfence will get the same protection on November 14, 2025.
Wordfence has already seen attackers trying to exploit this flaw. The company reported blocking more than 4,500 attack attempts since November 1, 2025. Given the scale of the plugin’s user base, the number of attacks is expected to increase in the coming days.
If your website uses the Post SMTP plugin, update it immediately to version 3.6.1 or later. The update fixes the missing authorization check that allows attackers to access email logs.
This is a critical vulnerability with a CVSS score of 9.8, so updating right away is essential. Delaying the update could result in a complete site compromise.
Wordfence also advises users to share this warning with anyone managing WordPress sites that use the Post SMTP plugin, as active exploitation has already started.400,000 WordPress Sites Affected by Critical Post SMTP Plugin Vulnerability
