CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Post SMTP Plugin Vulnerability Exploited to Hijack WordPress Admin Accounts

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, is being actively exploited to hijack administrator accounts. The flaw allows unauthenticated attackers to read logged emails, including password reset messages, leading to account takeover and full site compromise. The vulnerability affects all versions of Post SMTP from 3.6.0 and older, with over 400,000 downloads. The issue was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then. The Post SMTP plugin is a popular email delivery solution for WordPress. The flaw allows unauthenticated attackers to read arbitrary logged emails, including password reset messages. The vulnerability was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then.

Timeline

  1. 04.11.2025 23:46 2 articles · 6d ago

    Active Exploitation of Post SMTP Plugin Vulnerability

    The Post SMTP plugin has over 400,000 downloads, indicating widespread use. The vulnerability was discovered by a user named "netranger" through Wordfence's bug bounty program, earning a $7,800 bounty. Wordfence has issued a firewall rule to protect against the vulnerability for Premium, Care, and Response users, with free users receiving protection on November 14. The flaw is due to a missing capability check in the __construct function of the PostmanEmailLogs class.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical vulnerabilities in Elementor King Addons plugin affect 10,000 WordPress sites

The Elementor King Addons plugin, used by over 10,000 WordPress sites, has two unauthenticated critical vulnerabilities. These flaws can lead to full site takeovers. The vulnerabilities include an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The plugin's vendor has released version 51.1.37 to address these issues. The arbitrary file upload vulnerability allows attackers to place files in web-accessible directories due to improper nonce handling and file validation. The privilege escalation flaw permits attackers to create administrator accounts by exploiting the registration endpoint. Site administrators should update the plugin immediately to mitigate the risk of full site compromise.

Open in new tab

Anti-Malware Security and Brute-Force Firewall plugin vulnerability exposes private data

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows authenticated subscribers to read arbitrary files on the server, potentially exposing private information. The flaw, tracked as CVE-2025-11705, affects versions 4.23.81 and earlier. The vulnerability stems from missing capability checks in the GOTMLS_ajax_scan() function, which processes AJAX requests using a nonce that attackers can obtain. This oversight allows low-privileged users to read sensitive data, including the wp-config.php configuration file, which stores database credentials. With access to the database, an attacker can extract password hashes, users’ emails, posts, and other private data. The vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and was patched by the vendor in version 4.23.83, released on October 15, 2025. Wordfence recommends applying the patch to mitigate the risk of exploitation.

Open in new tab

Mass Exploitation Campaign Targets Outdated WordPress Plugins

A widespread campaign is exploiting outdated WordPress plugins GutenKit and Hunk Companion, targeting critical vulnerabilities to achieve remote code execution (RCE). The campaign, which began on October 8, 2025, exploited three critical-severity flaws in the plugins, affecting over 48,000 installs. Attackers use malicious plugins hosted on GitHub to maintain persistence, steal data, and execute commands on compromised sites. Wordfence has blocked nearly 8.8 million exploitation attempts. The vulnerabilities were patched in October and December 2024, but many sites remain unpatched.

Open in new tab