All news with #post smtp tag

Critical Post SMTP WordPress Plugin Flaw Enables Takeover

⚠️ A critical vulnerability in the popular Post SMTP WordPress plugin, which has more than 400,000 active installations, allowed unauthenticated attackers to read email logs — including password reset messages — and change any user password, enabling full account and site takeover. Wordfence reported active exploitation and urged immediate updates after detecting thousands of automated attacks. Administrators should install the patched release or disable the plugin immediately to prevent compromise.

Hackers Exploit Post SMTP Plugin to Hijack Admin Accounts

⚠️ WordPress sites using Post SMTP (≤3.6.0) are under active attack after disclosure of CVE-2025-11833, a critical (9.8) email log disclosure that lets unauthenticated actors read password-reset messages and hijack administrator accounts. A vendor patch, Post SMTP 3.6.1, was released Oct 29, but roughly 210,000 sites remain unpatched. Wordfence observed exploitation beginning Nov 1 and has blocked over 4,500 attempts; site owners should update or disable the plugin immediately.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.