Attacks observed: Vulnerability in WordPress Post SMTP plug-in allows takeover

The WordPress plug-in Post SMTP is used in more than 400,000 active installations. IT researchers have discovered a security vulnerability in it that allows unauthenticated attackers to take over accounts and, consequently, the entire WordPress instance. Attacks on the vulnerability have already been ongoing since the weekend. An updated plug-in is available.

This is reported by the IT security company WordFence in a current blog post. The vulnerability in the Post SMTP plug-in allows unauthenticated attackers to view email logs, including password-reset emails. This enables them to change the passwords of any user, including administrators. Malicious actors can thus take over accounts and, consequently, the entire WordPress website (CVE-2025-11833, CVSS 9.8, Risk “critical”).

Install Updates Quickly

Wordfence's firewall systems have already repelled more than 4500 attacks on the vulnerability from November 1st to Monday of this week, the company explains. IT managers should therefore ensure that they update to a corrected version of the plug-in as quickly as possible. Version 3.6.1 of Post SMTP has been available since October 29th, correcting the security-relevant errors in versions 3.6.0 and older.

Post SMTP is a plug-in that the provider already describes in its name as a “complete SMTP solution with logs, alarms, backup, SMTP, and mobile app.” It is intended to help when admins encounter a problem with email delivery via WordPress. This is particularly the case in some hosting environments that do not allow email sending via PHP mail. According to entry in the WordPress directory, it is used in more than 400,000 active installations.

WordPress plug-ins often suffer from serious security vulnerabilities that allow account or even instance compromise. At the end of August, the Dokan Pro plug-in was affected. This is a marketplace system where users can register as sellers with their marketplace shop.

(dmk)