A critical security vulnerability (CVE-2025-11833) has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations. This flaw allows unauthenticated attackers to access email logs, including password reset messages, and gain unauthorized administrator access to affected websites.

Affected Systems:

• WordPress Post SMTP plugin versions 3.6.0 and earlier.

Security Risks

Exploitation of this vulnerability enables attackers to take over any user account, including administrators, potentially leading to full site compromise.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Upgrade, as soon as possible, to the latest supported version to maintain security and continue receiving technical support and patches.

The released software version for upgrade is:

• WordPress Post SMTP plugin versions 3.6.1.

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• 400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin

• Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover  

• https://wordpress.org/plugins/post-smtp/