The Post SMTP plugin contains a critical security flaw (CVE-2025-11833) due to a missing authorization check, exposing sensitive email logs to unauthorized access. Discovered by security researcher netranger through Wordfence’s Bug Bounty Program, the flaw allows attackers to retrieve sensitive information such as password reset data from email logs without authentication.
Since the vulnerability’s identification on October 11, 2025, attackers initiated exploitation attempts on over 400,000 installations, with more than 4,500 blocked as of November 1, 2025. The vulnerability’s severity is indicated by a CVSS score of 9.8, necessitating immediate action by site administrators to update to the patched version 3.6.1. This two-step exploitation process can lead to complete site takeover, allowing malicious actors to gain administrative access and execute damaging actions on compromised sites.
To mitigate the risk, it is critical for users of the affected versions to update their plugins promptly. The patch was released on October 29, 2025, addressing this significant security vulnerability. Wordfence Premium users received proactive firewall protection to defend against these threats starting October 15, 2025.
👉 Pročitaj original: Cyber Security News
