AgenceEvana
Back to bulletins
Critical2025-10-11CVSS 9.8CVE-2025-11833 (2025-10-11)wordpresscmsauthenticationpluginrce

CVE-2025-11833 — Post SMTP WordPress: Unauthenticated Password Reset

A missing authorization check in the Post SMTP plugin (400,000+ active sites) allows an unauthenticated attacker to reset the password of any WordPress account, including administrator accounts, by exploiting the plugin's email logs.

Context

On October 11, 2025, a critical vulnerability was disclosed in Post SMTP, one of the most widely used WordPress plugins for outgoing email management (over 400,000 active installations). The flaw allows any unauthenticated attacker to trigger a password reset for any user account by exploiting unprotected access to the plugin's email logs — which contain the password reset links generated by WordPress.

The vulnerability was actively exploited within days of disclosure, with over 48,000 blocked exploitation attempts recorded within weeks.

Affected Versions

  • Post SMTP all versions prior to 3.6.1

Fixed version: 3.6.1 (released October 11, 2025)

Exploitation Mechanism

WordPress generates a password reset link and sends it by email. Post SMTP intercepts this email and stores it in its internal logs to facilitate debugging.

The flaw lies in the absence of any authorization check on the log viewing endpoint:

  1. The attacker triggers a password reset request for a target account (e.g., admin)
  2. WordPress generates the reset link and passes it to Post SMTP for delivery
  3. Post SMTP stores the email in its logs without restricting access to those logs
  4. The attacker directly accesses the logs via the plugin's REST API, without any authentication
  5. They extract the reset link and take over the account

Exploitation is trivial and requires no prior knowledge of the target site.

Impact

Successful exploitation allows the attacker to:

  • Gain full control of the WordPress administrator account
  • Install malicious plugins or themes (backdoors, webshells)
  • Exfiltrate the database (users, content, configuration)
  • Deface the site or use it as a malware distribution vector

Detection

Check whether your site may be compromised:

# Check the installed Post SMTP version
wp plugin get post-smtp --fields=version

# Search for suspicious access to Post SMTP logs in web server logs
grep -i "post-smtp\|postman" /var/log/nginx/access.log | grep -i "log\|mail-log"

# Check recently modified administrator accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Indicators of compromise:

  • Administrator logins from unknown IP addresses
  • New plugins or themes installed without your action
  • Unexpected recent file modifications in wp-content/
  • Unsolicited password reset emails in the logs

Remediation

  1. Update Post SMTP to version 3.6.1 or later immediately
  2. Reset passwords for all administrator accounts as a precaution
  3. Audit administrator accounts — remove any suspicious accounts created recently: 
    wp user list --role=administrator
  4. Audit installed plugins and themes — look for recent unauthorized installations
  5. Verify WordPress core file integrity: 
    wp core verify-checksums
  6. Enable two-factor authentication on all administrator accounts

Recommendations

  • Keep all WordPress plugins up to date — enable automatic updates for security patches
  • Limit plugin log exposure — debugging tools should never expose sensitive data without authentication
  • Use a WAF (Wordfence, Cloudflare) to block known exploitation attempts
  • Regularly audit administrator accounts and installed plugins
  • Back up regularly — maintain database and file backups to enable fast recovery in case of compromise