CVE-2025-11833

Critical

Published: 01 November 2025

Published

01 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1525 94.7th percentile

Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11833 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly addressing the missing capability check that allows unauthenticated access to sensitive email logs.

AC-6 Least Privilege good match

prevent

Implements least privilege to ensure only authorized users or processes can access plugin email logs, mitigating the lack of capability checks.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like the missing access check through timely plugin updates as specified in the mitigation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1114.002 Remote Email Collection Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to access and collect logged emails remotely, including sensitive password reset emails (T1114.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to,…

and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Deeper analysisAI

CVE-2025-11833 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress, affecting all versions up to and including 3.6.0. The issue stems from a missing capability check on the __construct function (CWE-862), which allows unauthorized access to logged email data stored by the plugin.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By accessing the plugin's email logs endpoint, they can read arbitrary emails sent through Post SMTP, including sensitive password reset emails containing reset links. This exposure enables account takeover on the targeted WordPress site by hijacking the reset process.

Mitigation is available through an update addressing the capability check, as detailed in WordPress plugin changeset 3386160. Additional details are provided in the Wordfence threat intelligence advisory and the vulnerable source code at tags/3.5.0/Postman/PostmanEmailLogs.php line 51. Security practitioners should update the plugin immediately and review logs for unauthorized access.