Site Takeover Flaw Affects 400K WordPress Sites TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesbyElizabeth Montalbano, Contributing WriterNov 5, 20253 Min ReadApplication SecurityRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolbyNate Nelson, Contributing WriterNov 5, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLVulnerabilities & ThreatsThreat IntelligenceApplication SecurityCyber RiskNewsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesAttackers are already targeting a vulnerability in the Post SMTP plug-in that allows them to fully compromise an account and website for nefarious purposes.Elizabeth Montalbano, Contributing WriterNovember 5, 20253 Min ReadSource: Primakov via ShutterstockThreat actors are targeting a flaw found in a WordPress plug-in with more than 400,000 downloads that allows for account and website takeover, with researchers warning that they expect even more attacks to begin in earnest soon. Wordfence received report of a flaw in a WordPress plug-in Post SMTP through its bug bounty program on Oct. 11, the company said in a blog post published this week. Several weeks later on Nov. 1, attackers started targeting the vulnerability, which allows them to take over the WordPress account and website. So far, more than 4,500 attacks already blocked by Wordfence's security protections.The critical flaw is tracked as CVE-2025-11833 and was a assigned a 9.8 CVSS score. It allows for unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0, according to Wordfence's advisory."This vulnerability makes it possible for unauthenticated threat actors to easily take over websites by resetting the password of any user, including administrators," Wordfence researcher István Márton wrote in the post. Discovery, Disclosure, and a FixPost SMTP is a WordPress plug-in meant to replace the default PHP mail function with an SMTP mailer, as well as provides email logging and other functionality. Wordfence gave credit to its discovery to a user called "netranger," who submitted the flaw to its bug bounty program one day after it was introduced and earned $7,800 for the submission.Related:Kimsuky Debuts HTTPTroy Backdoor Against South Korea UsersAfter Wordfence reported the flaw to Post SMPT's development team, it released an updated version of the plug-in, version 3.6.1, that addresses the flaw, on Oct. 29. Wordfence urges anyone who uses it on their website to update immediately to avoid compromise, as its data indicates not only that attacks have started, but that "a large campaign will likely start in the next few days," Márton wrote."We encourage WordPress users to verify that their sites are updated to the latest patched version of Post SMTP as soon as possible considering the critical nature of this vulnerability," he warned.Why the Plug-in Flaw ExistsExamination of the code of the vulnerable plug-in revealed an issue in its use of the PostmanEmailLogs class constructor to display the logged email message, according to Marton. "The most significant problem and vulnerability is caused by the fact that there are no capability checks in the function," he wrote.  This scenario allows unauthenticated attackers to view any logged email, including password reset emails, that an attacker can use to trigger a password reset for a site's administrator. They then can obtain the password reset email through the log data and, once obtaining access to this key, can reset the password, log in to the account, and thus achieve full site compromise, Marton said.Related:Android Malware Mutes Alerts, Drains Crypto WalletsFrom there an attacker can manipulate anything on the targeted site as a normal administrator would, such as uploading plug-in and theme files. This includes installing malicious files containing backdoors, and modifying posts and pages that can be used to redirect visitors to other malicious sites.Further Mitigation and Defense for CVE-2025-11833Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are notoriously popular targets for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit plug-ins with large install bases, which is why they've moved so quickly to exploit the Post SMTP flaw and will continue to do so. Its ability to compromise sites so easily also is a significant threat to its installed base, giving threat actors a client-side platform to conduct other malicious activities.Wordfence has already issued a firewall rule to its Premium, Wordfence Care, and Wordfence Response users that blocks exploits for CVE-2025-11833; sites using the free version of Wordfence will receive the same protection on Nov. 14.Related:'TruffleNet' Attack Wields Stolen Credentials Against AWSAbout the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

This article details a significant vulnerability affecting over 400,000 WordPress websites, stemming from a flaw within the Post SMTP plug-in. The issue, tracked as CVE-2025-11833 and assigned a 9.8 CVSS score, allows unauthenticated attackers to potentially compromise websites by resetting administrator passwords. Wordfence, a security firm, detected the vulnerability and reported it to Post SMTP’s development team, who released an updated version (3.6.1) on October 29th. However, attackers quickly identified and exploited the weakness, leading to a surge in attack attempts, with over 4,500 successfully blocked by Wordfence’s protections as of November 1st.

The root cause of the vulnerability lies in a lack of capability checks within the PostmanEmailLogs class constructor. This oversight enables attackers to view logged email messages, including password reset emails, which they can then use to reset administrator passwords and gain full control of the compromised website. The significance of this vulnerability is amplified by the widespread adoption of the Post SMTP plug-in, resulting in a large attack surface for threat actors.

Wordfence has implemented a firewall rule to protect its Premium, Wordfence Care, and Wordfence Response users from the CVE-2025-11833 exploit, and this protection will be extended to free users on November 14th. This proactive measure highlights the importance of timely patching and security updates in maintaining website security.

The discovery of this vulnerability was attributed to a user named “netranger,” who submitted the flaw to Wordfence's bug bounty program and earned a reward of $7,800. This demonstrates the value of vulnerability disclosure programs in identifying security weaknesses before they can be exploited.

The incident underscores the ongoing challenge of maintaining the security of WordPress websites, particularly those relying on third-party plugins. The potential for widespread compromise due to vulnerabilities within popular plugins necessitates diligent monitoring, prompt patching, and the implementation of robust security measures. Moreover, the rapid response by Wordfence, coupled with the quick release of a fix by Post SMTP, exemplifies the critical role that security communities play in safeguarding online systems.