CVE-2025-11833

moderate-risk

Published 2025-11-01

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Do I need to act?

14.5% chance of exploitation in next 30 days

EPSS score — higher than 85% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

References (3)

https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanE...

https://plugins.trac.wordpress.org/changeset/3386160/post-smtp

https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c...

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 12/34 · Low

Exposure 5/34 · Minimal