Ongoing Post SMTP plugin exploitation threatens widespread WordPress site compromise

BleepingComputer reports that at least 210,000 WordPress sites could be hijacked in intrusions exploiting a critical security flaw in the Post SMTP plugin, tracked as CVE-2025-11833, which have been underway since the beginning of November.

All Post SMTP plugin versions 3.6.0 and older are affected by the vulnerability, which originates from inadequate authorization checks within the plugin's 'PostmanEmailLogs' flow's 'construct' function, according to Wordfence.

Direct rendering of logged email content by the insecure constructor could expose password reset messages that include links for admin password changes, which could then be used for account and site takeovers. Website owners have been urged to promptly install updates issued on Oct. 29 or disable the plugin to prevent possible compromise.

Such a development comes months after the Post SMTP plugin was reported by PatchStack to have been impacted by the CVE-2025-24000 bug, which could also enable unauthorized access to email logs.