A critical vulnerability in the Post SMTP WordPress plugin, identified as CVE-2025-11833, is actively being exploited, posing a significant risk to websites utilizing the plugin, which boasts over 400,000 active installations.
The flaw allows unauthenticated attackers to access email logs, potentially intercepting sensitive information such as password reset emails. This access can enable attackers to reset administrator passwords and gain full control of affected websites.
The vulnerability, rated 9.8 (Critical) on the CVSS scale by Wordfence, was discovered on October 11, 2025, and reported through the Wordfence Bug Bounty Program. A patch, version 3.6.1, was released by the plugin’s developers on October 29, 2025. However, an estimated 200,000 websites had not yet implemented this update, leaving them vulnerable to attack, according to WordPress.org plugin data.
Active exploitation of the vulnerability began as early as November 1, 2025, with Wordfence reporting that its premium users had experienced over 4,500 blocked attacks. While Wordfence Premium, Care, and Response users received firewall protection on October 15, 2025, users of the free Wordfence plugin will receive similar protection starting November 14, 2025.
Given the critical nature of the vulnerability and the ongoing exploitation, website administrators are strongly advised to update the Post SMTP plugin to version 3.6.1 immediately to prevent unauthorized account access and potential website compromise.