On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website.
Our data indicates that attackers have already started targeting this vulnerability as early as November 1st, 2025, with over 4,500 attacks already blocked.Β
Props to netranger who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was disclosed to our program just one day after it was introduced. This researcher earned a bounty of $7,800.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.
We provided full disclosure details to the WP Experts team instantly through our Wordfence Vulnerability Management Portal on October 15, 2025. The vendor released the patch on October 29, 2025. We would like to commend the WP Experts team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Post SMTP, version 3.6.1 at the time of this publication as soon as possible as active exploitation has already started and we expect the campaign to pick up soon.Β
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’
πΒ Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
π The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Vulnerability Summary from Wordfence Intelligence
The Post SMTP β Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
Technical Analysis
Post SMTP is a WordPress plugin whose main purpose is to replace the default PHP mail function with an SMTP mailer. It also provides various other features, including email logging and much more.
Examining the code reveals that the plugin uses the PostmanEmailLogs class constructor to display the logged email message.
public function __construct() {
global $wpdb;
$this->db = $wpdb;
$this->logger = new PostmanLogger( get_class( $this ) );
//Render Message body in iframe
if(
isset( $_GET['page'] ) && $_GET['page'] == 'postman_email_log'
&&
isset( $_GET['view'] ) && $_GET['view'] == 'log'
&&
isset( $_GET['log_id'] ) && !empty( $_GET['log_id'] )
) {
// Print
if( isset( $_GET['print'] ) && $_GET['print'] == 1 ) {
echo "<script>window.print();</script>";
}
$id = sanitize_text_field( $_GET['log_id'] );
$email_query_log = new PostmanEmailQueryLog();
$log = $email_query_log->get_log( $id, '' );
$header = $log['original_headers'];
$msg = $log['original_message'];
$msg = $this->purify_html( $msg );
echo ( isset ( $header ) && strpos( $header, "text/html" ) ) ? $msg : '' . $msg . '' ;
die;
}
The most significant problem and vulnerability is caused by the fact that there are no capability checks in the function. This makes it possible for unauthenticated attackers to view any logged email, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a siteβs administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.
Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Disclosure Timeline
October 11, 2025 β We received the submission for the Account Takeover via Email Log Disclosure vulnerability in Post SMTP via the Wordfence Bug Bounty Program.
October 15, 2025 β We validated the report and confirmed the proof-of-concept exploit.
October 15, 2025 β Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
October 15, 2025 β Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
October 16, 2025 β The vendor acknowledged the report and began working on a fix.
October 29, 2025 β The fully patched version of the plugin, 3.6.1, was released.
November 14, 2025 β Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed an Account Takeover via Email Log Disclosure vulnerability within the Post SMTP plugin affecting versions 3.6.0 and earlier. This vulnerability makes it possible for unauthenticated threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 3.6.1 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Post SMTP as soon as possible considering the critical nature of this vulnerability. Our data indicates that attackers have already started targeting this vulnerability and a large campaign will likely start in the next few days.Β
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin appeared first on Wordfence.
