On October 11th, 2025, a vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations was announced.
This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website.
We urge users to update their sites with the latest patched version of Post SMTP, version 3.6.1 at the time of this publication as soon as possible as active exploitation has already started and we expect the campaign to pick up soon.
Source: WordFence
Tuesday, November 4, 2025
