cleantalk
Vulnerabilities and Security Researches

POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications, CVE-2025-12887

CVE, Research URL

CVE-2025-12887

Home page URL

Security reports for POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications

Application

POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications

Published on
Dec 03, 2025
Research Description
The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. CVE-2025-67563 appears to be a duplicate of this issue.
Affected versions
max 3.6.2.
Status
vulnerable
Previous vulnerability researches
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2014-8605) , Jun 06, 2024
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2014-8603) , Jun 06, 2024
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2015-4336) , Jun 06, 2024
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2015-4338) , Jun 06, 2024
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2014-2340) , Jun 06, 2024
New vulnerability
All-in-One Video Gallery (CVE-2023-33999) , Jun 13, 2026
TempTool [Show Current Template Info] (CVE-2023-33999) , Jun 13, 2026
Tweaker for Ninja Foms emails (CVE-2023-33999) , Jun 13, 2026
Custom WooCommerce Checkout Fields Editor (CVE-2023-33999) , Jun 13, 2026
Elementor Stripe Payment (CVE-2023-33999) , Jun 13, 2026