Risk actors are actively exploiting a essential vulnerability within the Publish SMTP plugin put in on greater than 400,000 WordPress websites, to take full management by hijacking administrator accounts.
Publish SMTP is a well-liked e-mail supply resolution marketed as a feature-rich and extra dependable substitute of the default ‘wp_mail()’ perform.
On October 11, WordPress safety agency Wordfence obtained a report from researcher ‘netranger’ about an e-mail log disclosure challenge that may very well be leveraged for account takeover assaults.
The difficulty, tracked as CVE-2025-11833, obtained a critical-severity rating of 9.8 and impacts all variations of Publish SMTP from 3.6.0 and older.
The vulnerability stems from the dearth of authorization checks within the ‘_construct’ perform of the plugin’s ‘PostmanEmailLogs’ move.
That constructor immediately renders logged e-mail content material when it’s requested with out performing functionality checks, permitting unauthenticated attackers to learn arbitrary logged emails.
Supply: Wordfence
The publicity consists of password reset messages with hyperlinks that permit altering an administrator’s password with out the necessity of a authentic account holder, probably resulting in account takeover and full website compromise.
Wordfence validated the researcher’s exploit on October 15 and totally disclosed the difficulty to the seller, Saad Iqbal, on the identical day.
A patch arrived on October 29, with Publish SMTP model 3.6.1. Based mostly on WordPress.org information, roughly half of the plugin’s customers have downloaded it for the reason that launch of the patch, leaving at the very least 210,000 websites susceptible to admin takeover assaults.
In line with Wordfence, hackers began exploiting CVE-2025-11833 on November 1. Since then, the safety agency has blocked over 4,500 exploit makes an attempt on its clients.
Given the lively exploitation standing, web site homeowners utilizing Publish SMTP are suggested to maneuver to model 3.6.1 instantly or disable the plugin.
In July, PatchStack revealed that Publish SMTP was susceptible to a flaw that allowed hackers to entry e-mail logs containing full message content material, even from a subscriber stage.
That flaw, tracked as CVE-2025-24000, had the identical repercussions as CVE-2025-11833, permitting unauthorized customers to set off password resets, intercept messages, and take management of administrator accounts.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, safety groups are transferring quick to maintain these new providers secure.
This free cheat sheet outlines 7 greatest practices you can begin utilizing as we speak.
