CVE-2025-11833CRITICAL 9.8EPSS p98.8%

CVE-2025-11833CVE-2025-11833

Description

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS50.28% probability of exploitation · percentile 98.8% · 2026-06-18T12:00:27Z
Published2025-11-01
Last modified2026-04-15

Underlying weaknesses· 1

CWE-862

References

  1. https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51
  2. https://plugins.trac.wordpress.org/changeset/3386160/post-smtp
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5486
CVE
CVE-2026-6963
CVE
CVE-2025-6993
CVE
CVE-2026-6235
CVE
CVE-2025-4473
CVE
CVE-2025-15018
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.