Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
TM RedHotCyber 320x100 042514
Crowdstriker 970×120
SMTP Posts Actively Exploited: 400,000 WordPress Sites at Risk

SMTP Posts Actively Exploited: 400,000 WordPress Sites at Risk

Redazione RHC : 6 November 2025 14:52

Attackers are targeting WordPress websites by exploiting a critical vulnerability in the Post SMTP plugin, which has over 400,000 installations. Hackers are hijacking administrator accounts and gaining complete control over vulnerable resources.

Post SMTP is one of the most popular plugins for sending emails from WordPress sites. Its developers propose it as an advanced alternative to the standard wp_mail() function, offering enhanced features and greater reliability.

The vulnerability was discovered by a security researcher named netranger , who reported it to Wordfence on October 11. It has been assigned the identifier CVE-2025-11833 (CVSS score 9.8). The bug affects all versions of Post SMTP from 3.6.0 onwards.

The root of the problem lies in the lack of access rights control when using the _construct function in PostmanEmailLogs .

The component responsible for recording sent emails directly returns the log content upon request, without verifying who is requesting it. As a result, anyone can read the emails stored in the logs, including password reset messages with links to change administrator credentials. By intercepting such an email, a criminal hacker can change the administrator password and gain complete control of the site.

Wordfence notified the plugin developer of the critical vulnerability on October 15, but the patch wasn’t released until October 29: version 3.6.1 fixes the bug. However, according to WordPress.org statistics , about half of the plugin’s users have installed the update, meaning approximately 200,000 websites remain vulnerable.

Worse still, hackers are already exploiting this latest vulnerability. According to experts, attempts to exploit the CVE-2025-11833 vulnerability have been recorded since November 1st, and in recent days, the company has blocked over 4,500 such attacks on its customers’ websites. Considering that Wordfence only protects a portion of the WordPress ecosystem, the actual number of hacking attempts could be in the tens of thousands.

It’s worth noting that this is the second serious vulnerability discovered in Post SMTP in recent months. In July 2025, cybersecurity firm PatchStack discovered a similar vulnerability, CVE-2025-24000. This flaw also allowed logs to be read and password reset emails to be intercepted, even by minimally privileged users.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli