Hackers Exploit Critical Flaw in WordPress Plugin ‘Post SMTP,’ Hijack Admin Accounts on 400,000+ Sites

A critical vulnerability in the Post SMTP WordPress plugin — used by over 400,000 websites — is being actively exploited by hackers to hijack administrator accounts and take complete control of affected sites, cybersecurity firm Wordfence has warned.

The plugin, a popular alternative to WordPress’s built-in wp_mail() function, is designed to improve email delivery reliability. However, the latest flaw, tracked as CVE-2025-11833, has exposed thousands of websites to account takeover attacks.

What Is the Vulnerability?

The issue was first reported to Wordfence by researcher “netranger” on October 11, 2025, who discovered that Post SMTP versions 3.6.0 and earlier failed to implement proper authorization checks in the plugin’s _construct function within the PostmanEmailLogs class.

This security oversight allowed unauthenticated users to directly access and read logged emails, including password reset messages. Attackers could then use the password reset links to change admin passwords and gain full control of WordPress sites.

Wordfence verified the flaw on October 15, confirming that it could be exploited remotely without login credentials.

Severity and Impact

The vulnerability was assigned a CVSS score of 9.8 (critical).
Because Post SMTP logs all outgoing emails, attackers could exploit the flaw to intercept:

• Password reset emails
• Administrative notifications
• Login credentials and other sensitive communications

With these details, hackers can bypass authentication and take over entire websites, leading to defacements, data theft, or further malware injection.

Patch Released — But Millions Still at Risk

The plugin developer, Saad Iqbal, released a security patch (version 3.6.1) on October 29, 2025. However, WordPress.org statistics show that nearly half of the plugin’s installations remain outdated, leaving at least 210,000 sites still vulnerable.

Since November 1, hackers have launched over 4,500 exploit attempts, according to Wordfence telemetry.

“We are seeing active attempts to exploit CVE-2025-11833 in the wild,” Wordfence warned, advising all users to immediately update or disable the plugin until patched.

Earlier Vulnerabilities in Post SMTP

This is not the first time Post SMTP has come under fire for security flaws.
In July 2025, security firm PatchStack disclosed another serious bug (CVE-2025-24000) that allowed unauthorized access to the plugin’s email logs, leading to the same type of administrator account takeovers.

Both vulnerabilities underline the need for regular updates and security monitoring for WordPress sites using third-party plugins.

What Site Owners Should Do

• Update Post SMTP to version 3.6.1 or later immediately.
• Review email logs and user accounts for unauthorized activity.
• Use Wordfence, Sucuri, or another security plugin to detect exploit attempts.
• Implement two-factor authentication (2FA) for admin users.
• Regularly backup site data and verify restoration capability.

Failure to update may leave websites vulnerable to complete compromise.

Originally published on newsworldstime.com.