CVE-2025-11833
Published: 01 November 2025
Description
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
Security Summary
CVE-2025-11833 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress, affecting all versions up to and including 3.6.0. The issue stems from a missing capability check on the __construct function (CWE-862), which allows unauthorized access to logged email data stored by the plugin.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By accessing the plugin's email logs endpoint, they can read arbitrary emails sent through Post SMTP, including sensitive password reset emails containing reset links. This exposure enables account takeover on the targeted WordPress site by hijacking the reset process.
Mitigation is available through an update addressing the capability check, as detailed in WordPress plugin changeset 3386160. Additional details are provided in the Wordfence threat intelligence advisory and the vulnerable source code at tags/3.5.0/Postman/PostmanEmailLogs.php line 51. Security practitioners should update the plugin immediately and review logs for unauthorized access.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to access and collect logged emails remotely, including sensitive password reset emails (T1114.002).