On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website. We originally published this vulnerability on October 31st, 2025 and our records indicate that attackers started exploiting the issue the next day on November 1st, 2025. It appears mass exploitation started the following day, on November 2nd, 2025. The Wordfence Firewall has already blocked over 10,300 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence received the same protection 30 days later on November 14, 2025.
Considering this vulnerability is under active attack, we urge users to ensure their sites are updated with the latest patched version of Post SMTP, version 3.6.1 at the time of this writing, as soon as possible.
📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢
📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Vulnerability Summary from Wordfence Intelligence
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.
Vulnerability Details
The most significant problem and vulnerability is caused by the fact that there were no capability checks in the email log display function. This makes it possible for unauthenticated attackers to view any logged email, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.
In our blog post linked below, we provided full technical details about the vulnerability:
400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability.
Example attack request
POST /wp-login.php?action=lostpassword&page=postman_email_log&view=log&log_id=1&print=1 HTTP/1.1 Host: [redacted] Content-Type: application/x-www-form-urlencoded user_login=%5Bredacted%5D&redirect_to=&wp-submit=Get New Password
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious AJAX action and blocks the request if it does not come from an existing authorized administrator.
Total Number of Exploit Attempts Blocked
The Wordfence Firewall has already blocked over 10,300 exploit attempts since the vulnerability was publicly disclosed.
According to our data, attackers started targeting websites the day after the vulnerability was publicly disclosed, on November 1st. We also detected and blocked a large number of exploit attempts on November 2nd and November 6th.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the Post SMTP plugin email log display function:
- 212.59.70.30
- Over 5200 blocked requests.
- 85.192.29.68
- Over 700 blocked requests.
- 95.181.162.6
- Over 420 blocked requests.
- 185.120.59.204
- Over 350 blocked requests.
- 196.251.88.101
- Over 290 blocked requests.
- 141.11.62.221
- Over 290 blocked requests.
- 196.251.88.226
- Over 290 blocked requests.
Indicators of Compromise
One obvious sign of infection is if the site’s administrator has received an unexpected password reset email and is then unable to log in with the correct password, as it may have been changed due to the vulnerability, and the site is running Post SMTP plugin version 3.6.0 or older. We also recommend checking for newly added malicious administrators, as these may have been added to maintain persistence.
Look for requests in a site’s access log with the following request parameters:
?action=lostpassword&page=postman_email_log&view=log&log_id=1
We also recommend reviewing log files for any requests originating from the following IP addresses:
- 212.59.70.30
- 85.192.29.68
- 95.181.162.6
- 185.120.59.204
- 196.251.88.101
- 141.11.62.221
- 196.251.88.226
Conclusion
In today’s article, we covered the attack data for a critical-severity vulnerability in the Post SMTP plugin that allows unauthenticated attackers to easily take over websites by resetting the password of any user, including administrators. Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as November 1st, 2025 with mass exploitation starting on November 2nd, 2025. The Wordfence firewall has already blocked over 10,300 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on November 14, 2025.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 3.6.1 in order to maintain normal functionality. If you have friends or colleagues running Post SMTP, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Critical Vulnerability in Post SMTP Plugin appeared first on Wordfence.
