CVE-2025-11833

CRITICAL EXPLOITED NUCLEI

Post SMTP < 3.6.0 - Unauthenticated Arbitrary Email Log Access via Missing Capability Check

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-11833 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including halilkirazkaya, bocgoInfosec. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a technical writeup for CVE-2025-11833, detailing an unauthorized data access vulnerability in the Post SMTP WordPress plugin due to a missing capability check. It includes a PoC request demonstrating how unauthenticated attackers can read arbitrary logged emails, potentially leading to account takeover.

Description

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Exploits (3)

github WRITEUP 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-11833.md

The repository provides a technical writeup for CVE-2025-11833, detailing an unauthorized data access vulnerability in the Post SMTP WordPress plugin due to a missing capability check. It includes a PoC request demonstrating how unauthenticated attackers can read arbitrary logged emails, potentially leading to account takeover.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App (versions up to and including 3.6.0)
No auth needed
Prerequisites: WordPress site with Post SMTP plugin installed and vulnerable version
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 1 stars
by halilkirazkaya · infoleak
https://github.com/halilkirazkaya/CVE-2025-11833

This repository contains a Python-based scanner for CVE-2025-11833, which checks for exposed email logs in WordPress sites by iterating through log IDs. It does not exploit the vulnerability but verifies its presence by querying endpoints and analyzing responses.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress (specific version not specified)
No auth needed
Prerequisites: Target WordPress site URL · Valid username to test against
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by bocgoInfosec · poc
https://github.com/bocgoInfosec/CVE-2025-11833-PoC

This repository contains a scanner tool for CVE-2025-11833, which checks for exposed email logs in the Post SMTP plugin for WordPress. It does not exploit the vulnerability but detects potential information leakage by querying log IDs.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Post SMTP plugin for WordPress (version 3.6.0)
No auth needed
Prerequisites: WordPress site with Post SMTP plugin installed · Accessible wp-login.php endpoint
devstral-2 · analyzed Mar 04, 2026 Full analysis →

Nuclei Templates (1)

Post SMTP <= 3.6.0 - Email Log Disclosure
CRITICALVERIFIEDby Kazgangap
Shodan: http.html:/wp-content/plugins/post-smtp
FOFA: body=/wp-content/plugins/post-smtp

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.1525
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-11-01
CWE
CWE-862
Status published
Products (2)
saadiqbal/Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App < 3.6.0
saadiqbal/Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App < 3.6.0
Published Nov 01, 2025
Tracked Since Feb 18, 2026