Active Exploitation of Critical WordPress Plugin and Theme Vulnerabilities for Admin Account Hijacking
Threat actors are actively exploiting critical vulnerabilities in popular WordPress plugins and themes, enabling the hijacking of administrator accounts and full site compromise. The Post SMTP plugin, installed on over 400,000 WordPress sites, is affected by CVE-2025-11833, a flaw that allows unauthenticated attackers to read arbitrary logged emails, including password reset messages, due to missing authorization checks. This exposure enables attackers to reset admin passwords and take over sites. Wordfence has observed over 4,500 exploit attempts since November 1, and a patch was released in version 3.6.1, but a significant number of sites remain unpatched and vulnerable.
Similarly, the JobMonster WordPress theme is being targeted via CVE-2025-5397, an authentication bypass vulnerability that allows attackers to hijack admin accounts when social login is enabled. The flaw arises from improper verification in the check_login() function, letting attackers fake admin access if they know the username or email. The issue is fixed in version 4.8.2, and users are urged to update, disable social login, and enable two-factor authentication. These incidents highlight the ongoing risk posed by unpatched WordPress components and the need for immediate mitigation to prevent site compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Attackers exploit Post SMTP plugin to hijack admin accounts
Hackers were reported exploiting the WordPress Post SMTP plugin to take over administrator accounts. The reference does not provide a more specific incident date, so the event is dated to the article's publication.
Attackers exploit JobMonster theme auth bypass flaw
Hackers were reported exploiting a critical authentication bypass vulnerability in the JobMonster WordPress theme. No earlier disclosure or patch date is provided in the reference, so the event is anchored to the publication date.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Post SMTP Plugin Vulnerability Enables Mass WordPress Site Takeover
A critical vulnerability in the *Post SMTP* WordPress plugin, tracked as CVE-2025-11833, has exposed over 400,000 WordPress sites to potential account and website takeover. The flaw, present in all plugin versions up to and including 3.6.0, stems from missing capability checks in the `__construct` function, allowing unauthenticated attackers to reset passwords for any user, including administrators. Wordfence, which received the initial bug report via its bounty program, has already blocked more than 4,500 attack attempts, and exploitation activity has accelerated since early November. Security researchers warn that at least 210,000 sites remain at risk, with attackers leveraging the vulnerability to access password reset messages and hijack admin accounts. Website owners are strongly advised to update to the patched version released on October 29 or disable the plugin to prevent compromise. The incident follows a previous security issue (CVE-2025-24000) affecting the same plugin, highlighting ongoing risks for sites relying on outdated or unpatched WordPress extensions.
Mar 21, 2026
WordPress Email and Auth Plugins Expose Sites to Admin Takeover and Data Theft
Multiple critical flaws in widely deployed WordPress plugins exposed sites to administrator takeover through broken REST API authorization, weak JWT handling, and sensitive data leakage. In **Post SMTP**, `CVE-2025-24000` let any authenticated user read administrator-only email logs in versions through `3.2.0`, while `CVE-2025-11833` extended similar exposure to unauthenticated attackers in versions through `3.6.0`; because password reset messages were stored in those logs, attackers could reset admin passwords and seize control of affected sites. **RestroPress** (`CVE-2025-9209`) exposed user tokens through `/wp-json/wp/v2/users`, enabling forged JWTs and full admin access, and **miniOrange OAuth SSO** (`CVE-2025-9485`) accepted forged JWTs because signatures were not verified, allowing login as arbitrary users including administrators. **Copypress Rest API** (`CVE-2025-8625`) combined a hard-coded JWT signing key with unrestricted file upload to enable unauthenticated remote code execution. The pattern continued into active exploitation of **Gravity SMTP** (`CVE-2026-4020`), where an unauthenticated REST API endpoint exposed system reports containing WordPress and server details, plugin inventories, database information, and email-service credentials such as API keys, secrets, and OAuth tokens. Wordfence said exploitation required only a single request, reported blocking more than **17 million** attempts, and urged defenders to upgrade to `2.1.5` and rotate exposed third-party email credentials. Across the affected plugins, vendors issued fixes including **Post SMTP 3.3.0**, **miniOrange 6.26.13**, and **Gravity SMTP 2.1.5**, while the Copypress plugin was temporarily closed; the incidents underscore how exposed REST endpoints and flawed token validation can quickly turn routine plugin features into full site compromise paths.
Jun 17, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026