Overview
WordPress plugin, Post SMTP, has a new version fixing a critical vulnerability that can allow an unauthenticated attacker to read arbitrary email logs, including password reset messages. This “Complete SMTP Solution” plugin is used by over 400,000 websites and versions under 3.6.1 are actively being exploited.
- CVE-2025-11833: WordPress Post SMTP Plugin (CVSSv3 9.8). Affects Post SMTP ≤ 3.6.0
Google has disclosed a zero-click remote code execution (RCE) vulnerability in the Android System component. This flaw allows attackers to execute arbitrary code remotely without user interaction or elevated privileges. The vulnerability affects several Android versions and security patches have been released.
- CVE-2025-48593: Android System Component Remote Code Execution (RCE) (CVSS TBD). Affects Android versions 13, 14, 15 and 16.
Microsoft has published details of a remote code execution (RCE) vulnerability in its Chromium-based Edge browser. The medium severity flaw arises from a protection mechanism failure that allows attackers to execute code over a network.
- CVE-2025-60711: Microsoft Edge (Chromium-based) Remote Code Execution (RCE) (CVSSv3 6.3)
Recommended Action
Individuals and organisations are advised to review the appropriate security advisories and apply the relevant patches or update to the latest version.
WordPress – Wordfence Threat Intel
Android - Security Bulletin
Microsoft – Security Update Guide