400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin

On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website.

Our data indicates that attackers have already started targeting this vulnerability as early as November 1st, 2025, with over 4,500 attacks already blocked.

Props to netranger who discovered and responsibly reported this vulnerability

Click here to continue reading this article.

István Márton

Author archive

November 4, 2025

Plugins, Research, Vulnerabilities, WordPress Blogs, WordPress Security, WordPress Security News November 2025

Comments are closed.

Up ↑

Your WordPress News Dashboard

400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin

István Márton

Latest posts

Text widget

Sponsored by WP Mayor

Latest posts

Built with WP RSS Aggregator