CVE-2025-11833
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
| CWE | CWE-862 |
| Vendor | saadiqbal |
| Product | post smtp – complete email deliverability and smtp solution with email logs, alerts, backup smtp & mobile app |
| Published | Nov 1, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for saadiqbal post smtp – complete email deliverability and smtp solution with email logs, alerts, backup smtp & mobile app
Be the first to know when new critical vulnerabilities affecting saadiqbal post smtp – complete email deliverability and smtp solution with email logs, alerts, backup smtp & mobile app are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
saadiqbal / Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
0 ≤ 3.6.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3386160/post-smtp
Credits
Carl Pearson