Menace actors are actively exploiting a crucial vulnerability within the Submit SMTP plugin put in on greater than 400,000 WordPress websites, to take full management by hijacking administrator accounts.
Submit SMTP is a well-liked e mail supply resolution marketed as a feature-rich and extra dependable alternative of the default ‘wp_mail()’ perform.
On October 11, WordPress safety agency Wordfence acquired a report from researcher ‘netranger’ about an e mail log disclosure difficulty that could possibly be leveraged for account takeover assaults.
The problem, tracked as CVE-2025-11833, acquired a critical-severity rating of 9.8 and impacts all variations of Submit SMTP from 3.6.0 and older.
The vulnerability stems from the dearth of authorization checks within the ‘_construct’ perform of the plugin’s ‘PostmanEmailLogs’ move.
That constructor immediately renders logged e mail content material when it’s requested with out performing functionality checks, permitting unauthenticated attackers to learn arbitrary logged emails.
Supply: Wordfence
The publicity contains password reset messages with hyperlinks that permit altering an administrator’s password with out the necessity of a respectable account holder, doubtlessly resulting in account takeover and full web site compromise.
Wordfence validated the researcher’s exploit on October 15 and totally disclosed the difficulty to the seller, Saad Iqbal, on the identical day.
A patch arrived on October 29, with Submit SMTP model 3.6.1. Based mostly on WordPress.org information, roughly half of the plugin’s customers have downloaded it because the launch of the patch, leaving at the least 210,000 websites susceptible to admin takeover assaults.
In keeping with Wordfence, hackers began exploiting CVE-2025-11833 on November 1. Since then, the safety agency has blocked over 4,500 exploit makes an attempt on its clients.
Given the lively exploitation standing, web site homeowners utilizing Submit SMTP are suggested to maneuver to model 3.6.1 instantly or disable the plugin.
In July, PatchStack revealed that Submit SMTP was susceptible to a flaw that allowed hackers to entry e mail logs containing full message content material, even from a subscriber degree.
That flaw, tracked as CVE-2025-24000, had the identical repercussions as CVE-2025-11833, permitting unauthorized customers to set off password resets, intercept messages, and take management of administrator accounts.
It is finances season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising tendencies, and evaluate their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable impression.
