Critical Site Takeover Flaw Affects 400K WordPress Sites

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Attackers are already targeting a vulnerability in the Post SMTP plug-in that allows them to fully compromise an account and website for nefarious purposes.November 5, 2025Threat actors are targeting a flaw found in a WordPress plug-in with more than 400,000 downloads that allows for account and website takeover, with researchers warning they expect even more attacks to begin in earnest soon. Wordfence received report of a flaw in a WordPress plug-in Post SMTP through its bug bounty program on Oct. 11, the company said in a blog post published this week. Several weeks later, on Nov. 1, attackers started targeting the vulnerability, which allows them to take over the WordPress account and website. So far, more than 4,500 attacks have already been blocked by Wordfence's security protections.The critical flaw is tracked as CVE-2025-11833 and was a assigned a 9.8 CVSS score. It allows for unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0, according to Wordfence's advisory."This vulnerability makes it possible for unauthenticated threat actors to easily take over websites by resetting the password of any user, including administrators," Wordfence researcher István Márton wrote in the post. Post SMTP is a WordPress plug-in meant to replace the default PHP mail function with an SMTP mailer, as well as provide email logging and other functionality. Wordfence gave credit to its discovery to a user called "netranger," who submitted the flaw to its bug bounty program one day after it was introduced and earned $7,800 for the submission.Related:Ollama, Nvidia Flaws Put AI Infrastructure at RiskAfter Wordfence reported the flaw to Post SMPT's development team, it released an updated version of the plug-in, version 3.6.1, that addresses the flaw, on Oct. 29. Wordfence urges anyone who uses it on their website to update immediately to avoid compromise, as its data indicates not only that attacks have started, but that "a large campaign will likely start in the next few days," Márton wrote."We encourage WordPress users to verify that their sites are updated to the latest patched version of Post SMTP as soon as possible considering the critical nature of this vulnerability," he warned.Examination of the code of the vulnerable plug-in revealed an issue in its use of the PostmanEmailLogs class constructor to display the logged email message, according to Marton. "The most significant problem and vulnerability is caused by the fact that there are no capability checks in the function," he wrote.  This scenario allows unauthenticated attackers to view any logged email, including password reset emails, that an attacker can use to trigger a password reset for a site's administrator. They then can obtain the password reset email through the log data and, once obtaining access to this key, can reset the password, log in to the account, and thus achieve full site compromise, Marton said.Related:Kimsuky Debuts HTTPTroy Backdoor Against South Korea UsersFrom there an attacker can manipulate anything on the targeted site as a normal administrator would, such as uploading plug-in and theme files. This includes installing malicious files containing backdoors, and modifying posts and pages that can be used to redirect visitors to other malicious sites.Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are notoriously popular targets for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit plug-ins with large install bases, which is why they've moved so quickly to exploit the Post SMTP flaw and will continue to do so. Its ability to compromise sites so easily also is a significant threat to its installed base, giving threat actors a client-side platform to conduct other malicious activities.Wordfence has already issued a firewall rule to its Premium, Wordfence Care, and Wordfence Response users that blocks exploits for CVE-2025-11833; sites using the free version of Wordfence will receive the same protection on Nov. 14.Related:Android Malware Mutes Alerts, Drains Crypto WalletsElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.