Post SMTP < 3.6.1 – Account Takeover via Unauthenticated Email Log Disclosure | CVE 2025-11833 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the __construct function. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Affects Plugins

Fixed in 3.6.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

netranger

Verified

No

WPVDB ID

24288f2e-1d56-4a75-9365-b4985fe97469

Timeline

Publicly Published

2025-10-31 (about 1 month ago)

Added

2025-10-31 (about 1 month ago)

Last Updated

2025-10-31 (about 1 month ago)

Other

Published

Title

Published

2024-12-19

Title

Download Manager < 3.3.04 - Missing Authorization

Published

2025-06-26

Title

VG WORT METIS <= 2.0.1 - Missing Authorization

Published

2025-12-05

Title

Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification

Published

2023-09-04

Title

rtMedia for WordPress, BuddyPress and bbPress < 4.6.15 - Missing Authorization to Settings Update

Published

2025-04-25

Title

Custom Login and Registration <= 1.0.0 - Missing Authorization