On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website.
