Post SMTP missing capability check actively exploited security flaw (CVE-2025-11833)
Vulnerability
Summary
Hide ▲
Show ▼
Active exploitation of CVE-2025-11833 is exposing Post SMTP sites to account takeover and full website compromise across versions up to 3.6.0. The flaw is a missing capability check in the __construct function and carries a 9.8 CVSS score. Wordfence said it had already blocked more than 4,500 attacks, and the fix shipped in Post SMTP 3.6.1.
Related Happenings
CISA KEV patch directive for CVE-2025-53521
Advisory/Mitigation
First: 30.03.2026 10:07
Last: 30.03.2026 10:07
Sources 1
About this happening:
CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
CISA KEV patch directive for CVE-2025-53521
Advisory/MitigationAbout this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/Mitigation
First: 06.02.2026 19:16
Last: 06.02.2026 19:16
Sources 1
About this happening:
**SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/MitigationAbout this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
SmarterMail CVE-2026-23760 mass exploitation wave
Exploitation Wave
First: 27.01.2026 16:09
Last: 27.01.2026 16:09
Sources 1
About this happening:
**CVE-2026-23760** is being exploited against **SmarterMail** to bypass authentication on **internet-facing mail servers**, creating takeover risk across **thousands of exposed in...
SmarterMail CVE-2026-23760 mass exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-23760** is being exploited against **SmarterMail** to bypass authentication on **internet-facing mail servers**, creating takeover risk across **thousands of exposed in...
Post SMTP CVE-2025-11833 exploitation wave
Exploitation Wave
First: 04.11.2025 23:46
Last: 04.11.2025 23:46
Sources 1
How related:
According to Wordfence, hackers started exploiting CVE-2025-11833 on November 1. Since then, the security firm has blocked over 4,500 exploit attempts on its customers.
About this happening:
**CVE-2025-11833** in the **Post SMTP** WordPress plugin is being actively exploited to hijack administrator accounts, putting **more than 400,000 sites** at risk of **full site c...
Post SMTP CVE-2025-11833 exploitation wave
Exploitation WaveHow related: According to Wordfence, hackers started exploiting CVE-2025-11833 on November 1. Since then, the security firm has blocked over 4,500 exploit attempts on its customers.
About this happening: **CVE-2025-11833** in the **Post SMTP** WordPress plugin is being actively exploited to hijack administrator accounts, putting **more than 400,000 sites** at risk of **full site c...
Timeline
-
05.11.2025 16:35 1 articles · 6mo ago
Wordfence receives bug bounty report for Post SMTP flaw
Initial DisclosureWordfence received a bug bounty report on Oct. 11 about a missing capability check in the Post SMTP WordPress plug-in.
Show sources
- Critical Site Takeover Flaw Affects 400K WordPress Sites — www.darkreading.com — 05.11.2025 16:35
-
05.11.2025 16:35 1 articles · 6mo ago
Post SMTP releases version 3.6.1 to fix the flaw
Mitigation Patch UpdateAfter Wordfence reported the flaw to Post SMTP's development team, version 3.6.1 was released on Oct. 29 to fix the missing capability check in all versions up to and including 3.6.0.
Show sources
- Critical Site Takeover Flaw Affects 400K WordPress Sites — www.darkreading.com — 05.11.2025 16:35
-
05.11.2025 16:35 3 articles · 6mo ago
Attackers begin targeting CVE-2025-11833
Exploitation ObservedAttackers started targeting CVE-2025-11833 on Nov. 1, using the Post SMTP flaw to reset WordPress user passwords, including administrator accounts, and take over affected websites.
Show sources
- Critical Site Takeover Flaw Affects 400K WordPress Sites — www.darkreading.com — 05.11.2025 16:35
- Critical Site Takeover Flaw Affects 400K WordPress Sites — www.darkreading.com — 05.11.2025 16:35
- Hackers exploit WordPress plugin Post SMTP to hijack admin accounts — www.bleepingcomputer.com — 04.11.2025 23:46
-
05.11.2025 16:35 1 articles · 6mo ago
Wordfence details exploit path and update guidance
Technical Analysis UpdateWordfence said CVE-2025-11833 carries a 9.8 CVSS score and lets unauthenticated attackers use the PostmanEmailLogs class constructor to read logged email messages, extract password reset emails, reset administrator passwords, and achieve full site compromise; it urged WordPress users to update to version 3.6.1, said Premium, Care, and Response users already had a firewall rule, and noted free users would receive the same protection on Nov. 14.
Show sources
- Critical Site Takeover Flaw Affects 400K WordPress Sites — www.darkreading.com — 05.11.2025 16:35