Menace actors are actively exploiting a important vulnerability within the Publish SMTP plugin put in on greater than 400,000 WordPress websites, to take full management by hijacking administrator accounts.
Publish SMTP is a well-liked e-mail supply answer marketed as a feature-rich and extra dependable alternative of the default ‘wp_mail()’ operate.
On October 11, WordPress safety agency Wordfence obtained a report from researcher ‘netranger’ about an e-mail log disclosure concern that may very well be leveraged for account takeover assaults.
The difficulty, tracked as CVE-2025-11833, obtained a critical-severity rating of 9.8 and impacts all variations of Publish SMTP from 3.6.0 and older.
The vulnerability stems from the shortage of authorization checks within the ‘_construct’ operate of the plugin’s ‘PostmanEmailLogs’ circulate.
That constructor instantly renders logged e-mail content material when it’s requested with out performing functionality checks, permitting unauthenticated attackers to learn arbitrary logged emails.
The weak class constructor
Supply: Wordfence
The publicity consists of password reset messages with hyperlinks that enable altering an administrator’s password with out the necessity of a legit account holder, probably resulting in account takeover and full web site compromise.
Wordfence validated the researcher’s exploit on October 15 and totally disclosed the difficulty to the seller, Saad Iqbal, on the identical day.
A patch arrived on October 29, with Publish SMTP model 3.6.1. Based mostly on WordPress.org informationroughly half of the plugin’s customers have downloaded it because the launch of the patch, leaving a minimum of 210,000 websites weak to admin takeover assaults.
In keeping with Wordfence, hackers began exploiting CVE-2025-11833 on November 1. Since then, the safety agency has blocked over 4,500 exploit makes an attempt on its prospects.
Given the energetic exploitation standing, web site house owners utilizing Publish SMTP are suggested to maneuver to model 3.6.1 instantly or disable the plugin.
In July, PatchStack revealed that Publish SMTP was weak to a flaw that allowed hackers to entry e-mail logs containing full message content material, even from a subscriber stage.
That flaw, tracked as CVE-2025-24000, had the identical repercussions as CVE-2025-11833, permitting unauthorized customers to set off password resets, intercept messages, and take management of administrator accounts.
It is finances season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and evaluate their priorities as they head into 2026.
Learn the way high leaders are turning funding into measurable impression.
