Introduction
Attackers can retrieve password reset emails and take over administrator accounts on any WordPress site running vulnerable versions of the Post SMTP plugin. With over 400,000 active installations, this flaw exposes a huge segment of the WordPress ecosystem to unauthorized access and account compromise.
Post SMTP is a widely used WordPress plugin for handling SMTP email delivery, including logging, alerts, and backup SMTP. Its popularity makes vulnerabilities in this plugin highly impactful across a broad range of websites, from small blogs to enterprise deployments.
Technical Information
CVE-2025-11833 is caused by a missing capability check in the __construct function of the Post SMTP plugin's email log handler. In all versions up to and including 3.6.0, the plugin does not verify user permissions before initializing access to email log endpoints. This omission allows unauthenticated users to directly access REST API endpoints that expose the contents of logged emails.
The vulnerable code path is referenced in the plugin's codebase:
Because the permission check is absent, attackers can send direct HTTP requests to the relevant REST API endpoints and retrieve any email logged by the plugin. This includes password reset emails, which contain reset links. By intercepting these emails, an attacker can reset the password for any user, including administrators, and gain full control of the WordPress site.
The vulnerability is classified as CWE-862 (Missing Authorization). The attack requires only network access to the affected WordPress instance and does not require authentication or any prior knowledge of the system.
Affected Systems and Versions
- Product: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App (WordPress plugin)
- Affected versions: All versions up to and including 3.6.0
- Vulnerable configuration: Any WordPress installation with the affected plugin version active
Vendor Security History
- The Post SMTP plugin has a history of critical authorization and REST API exposure vulnerabilities:
- CVE-2025-24000: Missing authorization allowed authenticated users to access email logs
- CVE-2023-6875: Type juggling in REST endpoint allowed unauthenticated API key reset and log access
- The vendor has issued patches in response to disclosures but similar issues have recurred, indicating a need for improved security review and development practices.
