Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App Vulnerability – Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure – CVE: NA | WordPress Plugin Vulnerability Report
Plugin Name: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Key Information:
Software Type: Plugin
Software Slug: post-smtp
Software Status: Active
Software Author: saadiqbal
Software Downloads: 17,580,355
Active Installs: 400,000
Last Updated: November 1, 2025
Patched Versions: 3.6.1
Affected Versions: ≤ 3.6.0
Vulnerability Details:
Name: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App ≤ 3.6.0 – Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure
Type: Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure
CVE: NA
CVSS Score: 9.8 (Critical)
Publicly Published: October 31, 2025
Researcher: netranger
Description:
The Post SMTP plugin for WordPress is vulnerable to a missing capability check in the plugin’s constructor (__construct) in all versions up to and including 3.6.0. Because the plugin fails to enforce proper capability checks, unauthenticated attackers can access logged emails stored or exposed by the plugin. This may include sensitive messages such as password reset emails containing reset links, allowing attackers to perform account takeover. Wordfence detected and blocked 16 attacks targeting this vulnerability in the past 24 hours, indicating active exploitation attempts.
Summary:
The Post SMTP plugin for WordPress has a critical vulnerability in versions up to and including 3.6.0 that allows unauthenticated attackers to read arbitrary logged emails due to a missing capability check. Sensitive emails such as password reset messages can be exposed, enabling account takeover. The issue is patched in version 3.6.1 and sites should update immediately.
Detailed Overview:
This vulnerability stems from inadequate permission validation during the plugin initialization process. The plugin’s constructor failed to verify whether the requestor had the proper capability before allowing access to email logs or related endpoints. As a result, endpoints or code paths intended to be protected can be reached by unauthenticated requests, exposing email contents. Exposed logged emails may include password reset messages, account verification emails, or other sensitive communications. An attacker who obtains a valid password reset link or token from an exposed log entry can use that link to reset a user’s password and gain control of their account, leading to full site compromise. The CVSS score of 9.8 reflects this high risk (network accessible, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability). Wordfence reported and blocked multiple exploitation attempts within 24 hours of disclosure, demonstrating active scanning and exploitation in the wild. The developer released version 3.6.1 to correct the missing capability checks and to secure the plugin’s logging and access points.
Advice for Users:
Immediate Action:
Update the Post SMTP plugin to version 3.6.1 or later immediately on all affected sites. If you cannot update immediately, temporarily deactivate the plugin or disable its logging features until you can apply the patch. Check for Signs of Vulnerability:
Review your email logs and server logs for unexpected exposures; look for recent password reset emails, unusual password reset requests, or reset links present in stored logs. Inspect access logs for unauthenticated requests to plugin endpoints and for any suspicious activity originating from unknown IP addresses. Remediation & Mitigations:
After updating, rotate any credentials or reset passwords for accounts that may have been exposed (especially administrator accounts, site maintainers, and users who received password reset emails). Remove sensitive email content from logs, enforce log redaction/retention policies, and ensure logs are not served publicly. Consider enabling two-factor authentication (2FA) for administrative accounts to reduce the risk of takeover even if reset links were exposed. Alternate Solutions & Long-Term Recommendations:
If you rely heavily on email logging, consider configuring secure off-site logging with strict access controls or using a third-party SMTP provider’s logs with authenticated access. Adopt a site-wide security posture: keep plugins/themes/core updated, use a web application firewall (WAF), implement activity logging, and enforce least-privilege access for user roles.
Conclusion:
This is a high-severity, actively exploited vulnerability that can lead directly to account takeover and site compromise. The developer’s patch (version 3.6.1) addresses the missing capability checks; however, because exploitation attempts were observed, immediate updating and post-patch remediation (password resets, log cleaning, and audit) are essential. Small business owners should prioritize patching and consider managed security services if they cannot actively monitor and maintain plugin updates themselves.
Detailed Report:
A critical vulnerability has been disclosed in the popular Post SMTP plugin that affects hundreds of thousands of WordPress sites. Vulnerable versions (≤ 3.6.0) fail to protect email logs, allowing unauthenticated attackers to access sensitive email contents including password reset links. Because such information can be used to hijack accounts, this exploit poses a severe risk to site confidentiality and integrity. If your site uses Post SMTP, update to version 3.6.1 immediately. After updating, audit your site for suspicious activity, rotate exposed credentials, clear or redact logs that contain sensitive data, and strengthen authentication for administrative accounts. For small businesses without dedicated security staff, consider a managed WordPress service that applies updates, monitors logs, and responds to incidents on your behalf. A proactive maintenance plan can prevent vulnerabilities like this from becoming business-critical incidents.
Staying Secure:
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We’ll immediately update any out-of-date plugins and harden your site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App Vulnerability – Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure – CVE: NA | WordPress Plugin Vulnerability Report FAQs
What exactly is the Post SMTP vulnerability and why is it critical?
What exactly is the Post SMTP vulnerability and why is it critical?
The Post SMTP vulnerability allows unauthenticated users to read logged emails because the plugin did not enforce proper capability checks in its constructor. These logs can include sensitive messages like password reset emails containing reset links. Because an attacker can use those links to take over user accounts, the vulnerability is classified as critical with a CVSS score of 9.8. Because exploit attempts were observed in the wild (Wordfence reported 16 blocked attacks in 24 hours), the risk is immediate. Site owners should treat this as an emergency and update the plugin right away. Which versions are vulnerable and what version fixes it?
Which versions are vulnerable and what version fixes it?
All Post SMTP plugin versions up to and including 3.6.0 are affected by this vulnerability. The developer released a patched version, 3.6.1, which addresses the missing capability checks and secures access to logged emails. You should update every affected site to 3.6.1 or later as soon as possible. If you cannot update immediately, consider temporarily disabling the plugin until the patch can be applied. Do I need to reset passwords after updating?
Do I need to reset passwords after updating?
If your logs contained password reset emails or if you suspect any unauthorized access, you should rotate passwords for any potentially affected accounts-starting with administrator accounts. Resetting passwords ensures any exposed reset links or tokens are rendered useless. Additionally, consider enforcing two-factor authentication (2FA) for privileged accounts to mitigate the risk of takeover even if a reset link had been exposed. How can I tell if my site was attacked or if sensitive emails were exposed?
How can I tell if my site was attacked or if sensitive emails were exposed?
Look for unexpected password resets or login attempts in your authentication logs and review access logs for unusual requests to plugin endpoints. Check the plugin’s stored email logs for recent entries that include password reset links or other sensitive content. If you see evidence of unauthorized access or reset links in logs, treat the site as compromised: remove exposed links from logs, rotate credentials, and restore from a clean backup if necessary. What immediate steps should I take if I use Post SMTP on my site?
What immediate steps should I take if I use Post SMTP on my site?
First, update the plugin to version 3.6.1 immediately. Next, inspect email logs and access logs for signs of exposure or suspicious requests, and remove or redact sensitive log entries. Finally, rotate passwords for administrators and other high-privilege users, enable 2FA where available, and consider additional monitoring to detect any follow-on activity. Can attackers exploit this without logging in?
Can attackers exploit this without logging in?
Yes. The vulnerability enables unauthenticated attackers to access logged emails because the plugin failed to implement proper capability checks on public access paths. This means an attacker does not need valid credentials to read sensitive logged messages if the site remains unpatched. This unauthenticated access is what makes the bug especially dangerous, and why immediate patching is essential. Are backups or logs safe to keep as-is after an incident?
Are backups or logs safe to keep as-is after an incident?
No. If logs contain sensitive information such as password reset links, you should remove or redact those entries after documenting the incident. Keeping exposed logs in place risks repeated exploitation. Create sanitized backups once logs and sensitive data are cleaned, and ensure backup storage is secure and access-controlled. Maintain a retention policy that minimizes the window of exposure for sensitive log data. What long-term changes should I make to prevent similar issues?
What long-term changes should I make to prevent similar issues?
Limit the amount of sensitive data stored in logs and implement log redaction and short retention periods for sensitive entries. Ensure all plugins follow least-privilege principles and that public endpoints enforce capability checks and authentication. Consider a managed security service or WAF that can block suspicious access attempts and provide real-time alerts, and run regular security audits and automated vulnerability scans for installed plugins. If I don’t have time to manage this, what are my options as a small business owner?
If I don’t have time to manage this, what are my options as a small business owner?
Hire a managed WordPress maintenance or security provider to apply critical updates, monitor logs, and respond to incidents on your behalf. Many services offer emergency patching and post-incident cleanup, which is especially valuable for non-technical owners. Alternatively, configure automatic updates for critical plugins and use reputable hosting providers that offer security features and monitoring as part of their managed plans. Where can I find more information or help applying the patch?
Where can I find more information or help applying the patch?
Consult the plugin’s page on the WordPress Plugin Repository for the official update and changelog. Check security advisories from Wordfence or the researcher’s disclosure for technical indicators and mitigation steps. If you need hands-on assistance, reach out to a WordPress professional or your hosting provider’s support team for help updating the plugin, auditing logs, and performing any required remediation.