Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Post SMTP development team security patch release for CVE-2025-11833

Security Patch Release
First reported
Last updated
Happening score
H score 51
2 unique sources, 2 articles

Summary

Hide ▲

The Post SMTP development team released version 3.6.1 on Oct. 29 to fix CVE-2025-11833, closing a critical WordPress plug-in flaw that could let attackers take over affected sites. The patch applies to the vulnerable release line through 3.6.0 and addresses a 9.8 CVSS missing-capability-check bug. Users were told to update immediately because exploitation had already started.

Related Happenings

LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)

Security Patch Release
First: 27.05.2026 13:06 Last: 27.05.2026 13:06 Sources 1

About this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...

Open Happening

Drupal core security update for CVE-2026-9082

Security Patch Release
First: 22.05.2026 16:14 Last: 22.05.2026 16:14 Sources 1

About this happening: **Drupal** released security updates for **CVE-2026-9082**, a highly critical SQL injection flaw affecting **PostgreSQL**-backed sites, and urged administrators to **upgrade immed...

Open Happening

TrendAI Trend Micro’s enterprise business security patch release for CVE-2026-34926

Security Patch Release
First: 22.05.2026 11:19 Last: 22.05.2026 11:19 Sources 1

About this happening: **TrendAI** released **Apex One** security updates after confirming a **zero-day** had been **exploited in the wild**, leaving **on-premises installations** at risk until patched....

Open Happening

Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)

Security Patch Release
First: 11.05.2026 17:30 Last: 11.05.2026 17:30 Sources 1

About this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...

Open Happening

Google security patch release for CVE-2026-5858

Security Patch Release
First: 10.04.2026 13:44 Last: 10.04.2026 13:44 Sources 1

About this happening: **Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...

Open Happening

Timeline

  1. 05.11.2025 16:35 1 articles · 6mo ago

    Wordfence receives Post SMTP flaw report

    Initial Disclosure

    Wordfence received a bug bounty report for the Post SMTP WordPress plug-in on Oct. 11, flagging the flaw later tracked as CVE-2025-11833 in versions up to and including 3.6.0.

    Show sources
    Open in new tab
  2. 05.11.2025 16:35 3 articles · 6mo ago

    Post SMTP releases version 3.6.1

    Mitigation Patch Update

    After Wordfence reported the flaw to the Post SMTP development team, the plug-in was updated to version 3.6.1 on Oct. 29 to address CVE-2025-11833.

    Show sources
    Open in new tab
  3. 05.11.2025 16:35 1 articles · 6mo ago

    Attackers begin targeting Post SMTP vulnerability

    Exploitation Observed

    On Nov. 1, threat actors started targeting the Post SMTP vulnerability in the WordPress plug-in, using the flaw to take over WordPress accounts and websites.

    Show sources
    Open in new tab
  4. 05.11.2025 16:35 1 articles · 6mo ago

    Wordfence details password-reset takeover path

    Technical Analysis Update

    Wordfence's analysis said the missing capability check on the __construct function in all versions up to and including 3.6.0 lets unauthenticated attackers view logged email, reset administrator passwords, and take over websites; the company also warned that a large campaign would likely start in the next few days and said more than 4,500 attacks had already been blocked.

    Show sources
    Open in new tab