A security vulnerability in the popular Post SMTP plugin for WordPress has left over 200,000 websites exposed to potential hijacking attacks. The flaw, tracked as CVE-2025-24000, allows attackers to take over administrator accounts on affected websites, putting entire sites under their control.
With more than 400,000 active installations, Post SMTP is widely used as an enhanced alternative to the built-in wp_mail() function in WordPress. It offers more reliable and feature-rich email delivery capabilities, which is why it’s favored by developers and site owners alike.
However, a broken access control mechanism in older versions of the plugin has now made it a serious security liability.
The vulnerability was first discovered and reported on May 23, 2025, by a security researcher who notified WordPress security firm PatchStack. According to their analysis, all versions of Post SMTP up to 3.2.0 are affected.
The core issue lies in how the plugin’s REST API endpoints handle permissions. The endpoints only check whether a user is logged in — but they don’t verify the user’s role or permission level.
This means even low-level users, such as Subscribers (who normally have minimal access), can view sensitive data like email logs, which include full email content.
In practical terms, here’s how an attacker could exploit this bug:
-
Log in as a low-privileged user (e.g., a Subscriber).
-
Use the plugin’s broken API to access email logs.
-
Initiate a password reset request for the Administrator account.
-
Intercept the password reset email from the logs.
-
Use the reset link to gain full control of the site.
In this scenario, the hacker does not need administrator access initially — the broken access control gives them a backdoor to take over the site without much effort.
After being notified, the plugin’s developer Saad Iqbal responded quickly and worked with PatchStack to develop a fix. By May 26, a corrected version of the code was submitted for review, and the updated Post SMTP 3.3.0 was officially released on June 11, 2025.
The patch improves the get_logs_permission function by adding proper user role checks, ensuring that only authorized users can access email logs and related API endpoints.
Despite the fix being available for more than a month, download statistics on WordPress.org reveal a concerning trend: only 48.5% of users have updated to version 3.3.0. That means more than 200,000 websites are still running vulnerable versions of Post SMTP.
Even more alarming, 24.2% of users — around 96,800 sites — are still on Post SMTP 2.x, which is not only vulnerable to CVE-2025-24000 but also susceptible to other known security issues.
If you’re using the Post SMTP plugin on your WordPress site, take immediate action:
Update the Plugin
Ensure your site is running Post SMTP version 3.3.0 or later. This update includes the patch that fixes the critical security flaw.
Audit User Roles
Check your WordPress user roles to ensure that there are no unnecessary Subscriber or low-privileged accounts. Remove or restrict access where needed.
Monitor Email Logs
If you suspect your site may have been compromised, review the logs for any suspicious activity, especially related to password reset requests.
Use Security Plugins
Consider using a WordPress security plugin like Wordfence or Sucuri to detect vulnerabilities, block attacks, and monitor unauthorized changes.
This incident highlights how even widely trusted plugins can introduce serious vulnerabilities if not properly maintained. For businesses and bloggers relying on WordPress, staying on top of plugin updates and security best practices is no longer optional — it’s essential.
Unpatched plugins are a major attack vector for WordPress sites. The Post SMTP flaw is particularly dangerous because it allows a user with minimal permissions to escalate privileges and completely hijack the site.
The CVE-2025-24000 vulnerability in Post SMTP is a stark reminder of the risks of outdated plugins. With over 200,000 WordPress websites still exposed, attackers could easily exploit this flaw to steal data, deface websites, or inject malicious content.
If you’re a WordPress site owner or administrator, update your plugins today and implement a regular security audit routine. A simple update could save your site from a complete compromise.
Interesting Article : Mitel MiVoice MX-ONE Vulnerability Allows Admin Access Without Login
Pingback: PaperCut Exploited by Hackers Using Remote Code Execution: CISA