Cyber Resilience

CVE-2025-11833

Critical

Published: 01 November 2025

Published
01 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1525 94.8th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11833 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The Post SMTP plugin for WordPress, which provides SMTP email delivery with logging and alerts, contains a missing capability check in the __construct function of its email logging component. This flaw affects all versions through 3.6.0 and allows direct access to stored email data without authentication, as confirmed by code references in the plugin's PostmanEmailLogs.php file.

Unauthenticated attackers can exploit the issue over the network to retrieve arbitrary logged messages processed by the plugin. Because these logs include password reset emails containing reset links, successful exploitation can enable account takeover on the affected WordPress site, consistent with the vulnerability's CVSS 9.8 rating and CWE-862 classification.

Public references point to a plugin changeset that addresses the authorization gap, and Wordfence has published corresponding threat intelligence detailing the exposure. Site administrators should apply the available update to eliminate the missing check.

The associated EPSS score rose from a low baseline to a peak of 0.3146 on 2026-02-23 before receding, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to,…

more

and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1114.002 Remote Email Collection Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to access and collect logged emails remotely, including sensitive password reset emails (T1114.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly addressing the missing capability check that allows unauthenticated access to sensitive email logs.

prevent

Implements least privilege to ensure only authorized users or processes can access plugin email logs, mitigating the lack of capability checks.

prevent

Requires identification, reporting, and correction of flaws like the missing access check through timely plugin updates as specified in the mitigation.

References