A critical vulnerability has been identified in The Post SMTP WordPress plugin, assigned CVE-2025-11833 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to access sensitive data, such as email credentials and logs, by exploiting a missing security check within the plugin. Successful exploitation could lead to a significant data breach and compromise of the affected website's email communication.

The vulnerability exists due to a missing capability check in the __construct method of a specific class within the plugin. An unauthenticated attacker can send a crafted request to the WordPress site, which instantiates this class. Because the constructor method, which is automatically executed upon object creation, fails to verify if the user has the appropriate permissions, it proceeds to execute functions that expose sensitive information, such as stored SMTP credentials, API keys, or email logs.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on the business, leading to the compromise of confidential information. Potential consequences include the theft of email server credentials, allowing an attacker to send emails on behalf of the organization for phishing or spam campaigns. Furthermore, the exfiltration of email logs could result in a major data breach, exposing private communications, customer data (PII), password reset information, and other sensitive details, leading to significant reputational damage and potential regulatory fines.

Immediate Action:

• Immediately update "The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App" plugin to the latest patched version provided by the vendor.
• Review server and application access logs for any signs of exploitation, such as unusual requests to plugin-specific files or endpoints.
• Rotate any credentials or API keys stored within the plugin as a precautionary measure.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for direct POST or GET requests to the plugin's PHP files, particularly those that do not follow a normal user workflow. Pay close attention to requests from untrusted IP addresses.
• System Integrity: Monitor WordPress for the creation of unauthorized administrator accounts or unexpected changes to plugin files.
• Network Traffic: Monitor for anomalous outbound SMTP traffic from your web server, which could indicate that stolen credentials are being used.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, implement a virtual patch or a custom WAF rule to block requests attempting to trigger the vulnerable class constructor.
• Access Restriction: Limit direct access to plugin files via web server configuration (e.g., .htaccess or nginx rules).
• IP Whitelisting: Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability and the high risk of sensitive data exfiltration, immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch across all affected WordPress installations without delay. If patching is not immediately possible, the compensating controls listed above should be implemented as a temporary mitigation. Although this vulnerability is not currently on the CISA KEV list, its severity makes it a prime candidate for inclusion, and organizations should treat it with the highest urgency to prevent compromise.