Critical Site-Takeover Flaw Hits 400K+ WordPress Installations

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

A severe vulnerability (CVE-2025-11833) has been discovered in the widely used Post SMTP plug-in for WordPress. The flaw, assigned a CVSS score of 9.8, allows unauthenticated threat actors to reset administrator passwords and fully compromise websites. 

The issue stems from a missing capability check in the plug-in’s “__construct” function, enabling attackers to access logged email messages (including password resets) and take over accounts and sites.

The plug-in, which has more than 400,000 downloads, was patched in version 3.6.1 on October 29. Attacks began as early as November 1, with at least 4,500 attempts already blocked by Wordfence.

Who is affected

Any organization or individual running WordPress sites that include the Post SMTP plug-in (version 3.6.0 or earlier) is at risk. The scale is substantial: with hundreds of thousands of installations, the potential attack surface is large.

Sites that rely on WordPress for business operations, content management, or customer interaction are especially exposed. Attackers who gain access can upload malicious plugins/themes, redirect users, or use the website as a platform for further attacks.

Why CISOs should care

  • Scope & ubiquity: With 400 K+ known installations and WordPress being a frequent target, the risk is extensive.
  • Ease of exploitation: The vulnerability enables full site takeover without prior authentication, raising the bar of urgency.
  • Business impact: A compromised website can lead to reputational damage, SEO/domain blacklisting, customer trust erosion, and possibly downstream breaches.
  • Supply-chain and plug-in risk: This event underscores how third-party plug-ins, even those seemingly benign (SMTP/email logging in this case), can become high-impact attack vectors.
    Given these factors, CISOs need to ensure that their asset and vendor/plug-in risk management processes are robust, and that incident response for compromised web assets is ready.

3 Practical actions for CISOs

  1. Inventory & patch: Immediately identify all WordPress instances in your environment, determine if Post SMTP is installed (and which version), and upgrade to version 3.6.1 or later. If you can’t upgrade immediately, disable the plug-in or remove it temporarily.
  2. Strengthen monitoring and response: Enable logging of website administrative actions, monitor for unusual account changes (such as password resets and new admin users), and deploy web application firewall (WAF) rules or plug-in security controls to block known exploit patterns (e.g., as provided by Wordfence). 
  3. Review plug-in risk governance: Re-assess your policy for third-party plug-in usage. Set validation criteria (developer reputation, update frequency, security audit), prioritize critical updates, and ensure plug-in removal is part of drift and footprint management. Use this incident as a case study to reinforce plug-in risk in board-level reporting.
1524023125746
+ posts