Post SMTP flaw exposes WordPress sites to takeover risk.

A critical vulnerability in the Post SMTP plugin allows attackers to read logged emails, including password resets, enabling full account takeover. The flaw, affecting versions up to 3.6.0, was patched on October 29 but has already seen thousands of exploitation attempts. With over 400,000 installations and only half updated, around 200,000 sites remain exposed. The bug, CVE-2025-11833, was discovered by researcher Netranger, who received a $7,800 bounty.

Read more:

https://www.securityweek.com/exploited-post-smtp-plugin-flaw-exposes-wordpress-sites-to-takeover/