Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Post SMTP development team security patch release for CVE-2025-11833

Security Patch Release
First reported
Last updated
Happening score
H score 73
2 unique sources, 2 articles

Summary

Hide ▲

The Post SMTP development team released version 3.6.1 on Oct. 29 to fix CVE-2025-11833, closing a critical WordPress plug-in flaw that could let attackers take over affected sites. The patch applies to the vulnerable release line through 3.6.0 and addresses a 9.8 CVSS missing-capability-check bug. Users were told to update immediately because exploitation had already started.

Related Happenings

JCE Pro 2.9.99.6 patch for CVE-2026-48907

Security Patch Release
H score46 First: 17.06.2026 13:09 Last: 17.06.2026 13:09 Sources 1

About this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...

Open Happening

PhpBB 3.3.17 security update

Security Patch Release
H score34 First: 09.06.2026 17:00 Last: 09.06.2026 17:00 Sources 1

About this happening: **phpBB** released **version 3.3.17** to fix **PTT-2026-004** and **PTT-2026-005**, closing account-takeover flaws affecting forum deployments. The update is the **only complete f...

Open Happening

Everest Forms Pro plugin patch for CVE-2026-3300

Security Patch Release
H score43 First: 06.06.2026 17:09 Last: 06.06.2026 17:09 Sources 1

About this happening: The **Everest Forms developer** released a patch for **CVE-2026-3300** in **Everest Forms Pro** on **March 18**, closing an **unauthenticated arbitrary code execution** flaw affec...

Open Happening

The vendor security patch release for CVE-2026-8206

Security Patch Release
H score89 First: 03.06.2026 01:12 Last: 03.06.2026 01:12 Sources 1

About this happening: **Kirki - Freeform Page Builder, Website Builder & Customizer** shipped **version 6.0.7** to fix **CVE-2026-8206**, a privilege-escalation flaw that could let attackers take over...

Open Happening

WP Maps Pro 6.1.1 security patch for CVE-2026-8732

Security Patch Release
H score49 First: 31.05.2026 17:06 Last: 31.05.2026 17:06 Sources 1

About this happening: **WP Maps Pro 6.1.1** was released to fix **CVE-2026-8732**, giving WordPress administrators a patch for a flaw that enabled **unauthenticated administrator-account creation**. Th...

Open Happening

Timeline

  1. 05.11.2025 16:35 1 articles · 7mo ago

    Wordfence receives Post SMTP flaw report

    Initial Disclosure

    Wordfence received a bug bounty report for the Post SMTP WordPress plug-in on Oct. 11, flagging the flaw later tracked as CVE-2025-11833 in versions up to and including 3.6.0.

    Show sources
    Open in new tab
  2. 05.11.2025 16:35 3 articles · 7mo ago

    Post SMTP releases version 3.6.1

    Mitigation Patch Update

    After Wordfence reported the flaw to the Post SMTP development team, the plug-in was updated to version 3.6.1 on Oct. 29 to address CVE-2025-11833.

    Show sources
    Open in new tab
  3. 05.11.2025 16:35 1 articles · 7mo ago

    Attackers begin targeting Post SMTP vulnerability

    Exploitation Observed

    On Nov. 1, threat actors started targeting the Post SMTP vulnerability in the WordPress plug-in, using the flaw to take over WordPress accounts and websites.

    Show sources
    Open in new tab
  4. 05.11.2025 16:35 1 articles · 7mo ago

    Wordfence details password-reset takeover path

    Technical Analysis Update

    Wordfence's analysis said the missing capability check on the __construct function in all versions up to and including 3.6.0 lets unauthenticated attackers view logged email, reset administrator passwords, and take over websites; the company also warned that a large campaign would likely start in the next few days and said more than 4,500 attacks had already been blocked.

    Show sources
    Open in new tab