CVE-2025-11833: CWE-862 Missing Authorization in saadiqbal Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
AI Analysis
Technical Summary
The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App WordPress plugin suffers from a missing capability check in its __construct function in all versions up to 3.6.0. This authorization bypass vulnerability (CWE-862) allows unauthenticated attackers to read arbitrary logged emails sent through the plugin. Exploitation could expose sensitive information such as password reset emails containing reset links, potentially enabling account takeover. The vulnerability is remotely exploitable without authentication or user interaction, resulting in high confidentiality, integrity, and availability impact. No known exploits are reported in the wild, and no patch or remediation details have been provided by the vendor as of the publication date.
Potential Impact
An attacker can remotely access sensitive logged emails without authentication, including password reset emails. This exposure can lead to account takeover and compromise of user accounts. The vulnerability affects confidentiality, integrity, and availability of the affected system. Given the critical CVSS score of 9.8, the impact is severe.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling the Post SMTP plugin or restricting access to its logs and email data to trusted users only. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2025-11833: CWE-862 Missing Authorization in saadiqbal Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Description
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App WordPress plugin suffers from a missing capability check in its __construct function in all versions up to 3.6.0. This authorization bypass vulnerability (CWE-862) allows unauthenticated attackers to read arbitrary logged emails sent through the plugin. Exploitation could expose sensitive information such as password reset emails containing reset links, potentially enabling account takeover. The vulnerability is remotely exploitable without authentication or user interaction, resulting in high confidentiality, integrity, and availability impact. No known exploits are reported in the wild, and no patch or remediation details have been provided by the vendor as of the publication date.
Potential Impact
An attacker can remotely access sensitive logged emails without authentication, including password reset emails. This exposure can lead to account takeover and compromise of user accounts. The vulnerability affects confidentiality, integrity, and availability of the affected system. Given the critical CVSS score of 9.8, the impact is severe.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling the Post SMTP plugin or restricting access to its logs and email data to trusted users only. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-15T19:10:23.277Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6905841371a6fc4aff3da4a6
Added to database: 11/1/2025, 3:52:51 AM
Last enriched: 4/9/2026, 3:58:06 PM
Last updated: 5/10/2026, 5:18:39 AM
Views: 800
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.