CVE-2025-11833 CRITICAL

CVE-2025-11833: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure

Vendor Saadiqbal
Product Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Weakness CWE-862 · Missing authorization
Published November 1, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Key dates

02Disclosure timeline

November 1, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-31350 WordPress AWP Classifieds plugin <= 4.3.1 - Broken Access Control vulnerability CVE-2025-66101 WordPress CBX Bookmark & Favorite plugin <= 2.0.1 - Broken Access Control vulnerability CVE-2026-24540 WordPress Integrate Google Drive plugin <= 1.5.6 - Broken Access Control vulnerability CVE-2024-42372 Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) CVE-2026-28554 wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler