CVE-2025-11833
Published: 01 November 2025
Summary
CVE-2025-11833 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The Post SMTP plugin for WordPress, which provides SMTP email delivery with logging and alerts, contains a missing capability check in the __construct function of its email logging component. This flaw affects all versions through 3.6.0 and allows direct access to stored email data without authentication, as confirmed by code references in the plugin's PostmanEmailLogs.php file.
Unauthenticated attackers can exploit the issue over the network to retrieve arbitrary logged messages processed by the plugin. Because these logs include password reset emails containing reset links, successful exploitation can enable account takeover on the affected WordPress site, consistent with the vulnerability's CVSS 9.8 rating and CWE-862 classification.
Public references point to a plugin changeset that addresses the authorization gap, and Wordfence has published corresponding threat intelligence detailing the exposure. Site administrators should apply the available update to eliminate the missing check.
The associated EPSS score rose from a low baseline to a peak of 0.3146 on 2026-02-23 before receding, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37413
Vulnerability details
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to,…
more
and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to access and collect logged emails remotely, including sensitive password reset emails (T1114.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly addressing the missing capability check that allows unauthenticated access to sensitive email logs.
Implements least privilege to ensure only authorized users or processes can access plugin email logs, mitigating the lack of capability checks.
Requires identification, reporting, and correction of flaws like the missing access check through timely plugin updates as specified in the mitigation.