A critical vulnerability (CVE-2025-11833) in the widely used Post SMTP WordPress plugin is being actively exploited to hijack administrator accounts and gain full control of affected websites. The plugin has over 400 000 installations, with roughly 200 000 instances still unpatched.
The flaw exists in the plugin’s email-logging component (PostmanEmailLogs class) where authorization checks are missing. Attackers can retrieve logged emails, including password-reset links, and reset admin credentials without authentication.
Wordfence validated the exploit and reported active attacks starting 1 November 2025, only days after the vendor released the patch (v3.6.1 on 29 October 2025).
Technical Details
- Affected Versions: ≤ 3.6.0
- Fixed Version: 3.6.1
- Exploitation Method: Access to /wp-json/post-smtp/v1/get-log or /wp-json/post-smtp/v1/connect-app endpoints to read email logs and harvest reset tokens.
- Impact: Full administrator account takeover → complete WordPress compromise → potential malware deployment or data exfiltration.
OP Innovate Assessment
This vulnerability poses a significant threat to WordPress environments due to the plugin’s large install base and ease of exploitation. Its simplicity and the public availability of exploit code make it highly attractive to automated threat actors.
Opportunistic groups are expected to leverage it for credential theft, unauthorized admin access, and malicious code injection, with potential use in SEO manipulation and redirect fraud campaigns.
Recommendations
- Update Post SMTP to version 3.6.1 or later immediately.
- If patching cannot be done immediately, disable the plugin until verified secure.
- Review administrator accounts for unexpected password resets or newly created users.
- Audit recent email logs for suspicious access or bulk downloads.
- Restrict plugin management to trusted administrators only.
Stay Safe. Stay Secure.
OP Innovate Research Team
