CVE-2025-11833: 
WordPress vulnerability analysis and mitigation

The Post SMTP WordPress plugin (versions up to 3.6.0) contains a critical vulnerability (CVE-2025-11833) discovered on October 11, 2025, by researcher 'netranger'. This vulnerability affects over 400,000 WordPress sites and is related to unauthorized access of data due to a missing capability check in the __construct function (Wordfence Blog, WPScan).

The vulnerability stems from a missing authorization check in the '_construct' function of the plugin's 'PostmanEmailLogs' flow. The constructor directly renders logged email content when requested without performing capability checks. The vulnerability has received a critical CVSS score of 9.8 and is classified as CWE-862 (Missing Authorization). The issue was validated by Wordfence on October 15 and was fully disclosed to the vendor, Saad Iqbal, on the same day (Bleeping Computer).

The vulnerability allows unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links. This access can lead to complete account takeover and full site compromise. According to security researcher Ysrael Gurt, the vulnerability is particularly severe because the log ID is an auto-incremented number, making it easy for attackers to guess and view sensitive emails (Bleeping Computer).

A patch was released on October 29, 2025, with Post SMTP version 3.6.1. Website owners using Post SMTP are strongly advised to update to version 3.6.1 immediately or disable the plugin if immediate updating is not possible. However, security researchers note that even the fix may not fully address all risks, as password reset emails are still stored in logs and remain accessible to users with low privileges (Bleeping Computer).