Critical Site-Takeover Flaw Hits 400K+ WordPress Installations

What happened

A severe vulnerability (CVE-2025-11833) has been discovered in the widely used Post SMTP plug-in for WordPress. The flaw, assigned a CVSS score of 9.8, allows unauthenticated threat actors to reset administrator passwords and fully compromise websites. 

The issue stems from a missing capability check in the plug-in’s “__construct” function, enabling attackers to access logged email messages (including password resets) and take over accounts and sites.

The plug-in, which has more than 400,000 downloads, was patched in version 3.6.1 on October 29. Attacks began as early as November 1, with at least 4,500 attempts already blocked by Wordfence.

Who is affected

Any organization or individual running WordPress sites that include the Post SMTP plug-in (version 3.6.0 or earlier) is at risk. The scale is substantial: with hundreds of thousands of installations, the potential attack surface is large.

Sites that rely on WordPress for business operations, content management, or customer interaction are especially exposed. Attackers who gain access can upload malicious plugins/themes, redirect users, or use the website as a platform for further attacks.

Why CISOs should care

• Scope & ubiquity: With 400 K+ known installations and WordPress being a frequent target, the risk is extensive.
• Ease of exploitation: The vulnerability enables full site takeover without prior authentication, raising the bar of urgency.
• Business impact: A compromised website can lead to reputational damage, SEO/domain blacklisting, customer trust erosion, and possibly downstream breaches.
• Supply-chain and plug-in risk: This event underscores how third-party plug-ins, even those seemingly benign (SMTP/email logging in this case), can become high-impact attack vectors.
  Given these factors, CISOs need to ensure that their asset and vendor/plug-in risk management processes are robust, and that incident response for compromised web assets is ready.

3 Practical actions for CISOs

1. Inventory & patch: Immediately identify all WordPress instances in your environment, determine if Post SMTP is installed (and which version), and upgrade to version 3.6.1 or later. If you can’t upgrade immediately, disable the plug-in or remove it temporarily.
2. Strengthen monitoring and response: Enable logging of website administrative actions, monitor for unusual account changes (such as password resets and new admin users), and deploy web application firewall (WAF) rules or plug-in security controls to block known exploit patterns (e.g., as provided by Wordfence). 
3. Review plug-in risk governance: Re-assess your policy for third-party plug-in usage. Set validation criteria (developer reputation, update frequency, security audit), prioritize critical updates, and ensure plug-in removal is part of drift and footprint management. Use this incident as a case study to reinforce plug-in risk in board-level reporting.