Critical Post SMTP Plugin Vulnerability Enables Mass WordPress Site Takeover
A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, has exposed over 400,000 WordPress sites to potential account and website takeover. The flaw, present in all plugin versions up to and including 3.6.0, stems from missing capability checks in the __construct function, allowing unauthenticated attackers to reset passwords for any user, including administrators. Wordfence, which received the initial bug report via its bounty program, has already blocked more than 4,500 attack attempts, and exploitation activity has accelerated since early November.
Security researchers warn that at least 210,000 sites remain at risk, with attackers leveraging the vulnerability to access password reset messages and hijack admin accounts. Website owners are strongly advised to update to the patched version released on October 29 or disable the plugin to prevent compromise. The incident follows a previous security issue (CVE-2025-24000) affecting the same plugin, highlighting ongoing risks for sites relying on outdated or unpatched WordPress extensions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers observe thousands of exploitation attempts
Shortly after disclosure, defenders detected active abuse of the vulnerability, with more than 4,500 attacks observed. Reports warned that between roughly 210,000 and 400,000 WordPress sites could be at risk depending on plugin deployment counts.
Attackers begin exploiting CVE-2025-11833 in the wild
Intrusions exploiting the Post SMTP flaw were reported to be underway from the beginning of November. The attacks target exposed email logs to obtain password reset links and hijack WordPress administrator accounts.
Post SMTP security update released
The plugin maintainers released an update on Oct. 29 to fix CVE-2025-11833. Administrators were advised to update immediately or disable the plugin to prevent exploitation.
Post SMTP flaw discovered in WordPress plugin
A critical broken access control vulnerability, tracked as CVE-2025-11833, was identified in the Post SMTP WordPress plugin. The issue affects versions 3.6.0 and older and can expose logged emails, including password reset messages, enabling account takeover and full site compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
WordPress plugin hole enables account takeover
csoonline.com
Open sourceCritical Site Takeover Flaw Affects 400K WordPress Sites
darkreading.com
Open sourceOngoing Post SMTP plugin exploitation threatens widespread WordPress site compromise
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical WordPress Plugin and Theme Vulnerabilities for Admin Account Hijacking
Threat actors are actively exploiting critical vulnerabilities in popular WordPress plugins and themes, enabling the hijacking of administrator accounts and full site compromise. The Post SMTP plugin, installed on over 400,000 WordPress sites, is affected by CVE-2025-11833, a flaw that allows unauthenticated attackers to read arbitrary logged emails, including password reset messages, due to missing authorization checks. This exposure enables attackers to reset admin passwords and take over sites. Wordfence has observed over 4,500 exploit attempts since November 1, and a patch was released in version 3.6.1, but a significant number of sites remain unpatched and vulnerable. Similarly, the JobMonster WordPress theme is being targeted via CVE-2025-5397, an authentication bypass vulnerability that allows attackers to hijack admin accounts when social login is enabled. The flaw arises from improper verification in the `check_login()` function, letting attackers fake admin access if they know the username or email. The issue is fixed in version 4.8.2, and users are urged to update, disable social login, and enable two-factor authentication. These incidents highlight the ongoing risk posed by unpatched WordPress components and the need for immediate mitigation to prevent site compromise.
Mar 21, 2026
WordPress Email and Auth Plugins Expose Sites to Admin Takeover and Data Theft
Multiple critical flaws in widely deployed WordPress plugins exposed sites to administrator takeover through broken REST API authorization, weak JWT handling, and sensitive data leakage. In **Post SMTP**, `CVE-2025-24000` let any authenticated user read administrator-only email logs in versions through `3.2.0`, while `CVE-2025-11833` extended similar exposure to unauthenticated attackers in versions through `3.6.0`; because password reset messages were stored in those logs, attackers could reset admin passwords and seize control of affected sites. **RestroPress** (`CVE-2025-9209`) exposed user tokens through `/wp-json/wp/v2/users`, enabling forged JWTs and full admin access, and **miniOrange OAuth SSO** (`CVE-2025-9485`) accepted forged JWTs because signatures were not verified, allowing login as arbitrary users including administrators. **Copypress Rest API** (`CVE-2025-8625`) combined a hard-coded JWT signing key with unrestricted file upload to enable unauthenticated remote code execution. The pattern continued into active exploitation of **Gravity SMTP** (`CVE-2026-4020`), where an unauthenticated REST API endpoint exposed system reports containing WordPress and server details, plugin inventories, database information, and email-service credentials such as API keys, secrets, and OAuth tokens. Wordfence said exploitation required only a single request, reported blocking more than **17 million** attempts, and urged defenders to upgrade to `2.1.5` and rotate exposed third-party email credentials. Across the affected plugins, vendors issued fixes including **Post SMTP 3.3.0**, **miniOrange 6.26.13**, and **Gravity SMTP 2.1.5**, while the Copypress plugin was temporarily closed; the incidents underscore how exposed REST endpoints and flawed token validation can quickly turn routine plugin features into full site compromise paths.
Jun 17, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026