Article Details
Scrape Timestamp (UTC): 2025-07-26 14:20:34.171
Original Article Text
Click to Toggle View
Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks. More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich. On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8. The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin’s REST API endpoints, which only verified if a user was logged in, without checking their permission level. This means that low-privileged users, such as Subscribers, could access email logs containing full email content. On vulnerable sites, a subscriber could initiate a password reset for an Administrator account, intercept the reset email via the logs, and gain control of the account. The plugin’s developer, Saad Iqbal, was informed about the flaw and responded with a fix for Patchstack to review on May 26. The solution was to incorporate additional privilege checks in the ‘get_logs_permission’ function that would validate a user’s permissions before giving access to sensitive API calls. The fix was incorporated into Post SMTP version 3.3.0, which was published on June 11. Download statistics on WordPress.org show that less than half of the plugin's user base (48.5%) has updated to version 3.3. This means that more than 200,000 websites are vulnerable to CVE-2025-24000. A notable 24.2%, corresponding to 96,800 sites, still run Post SMTP versions from the 2.x branch, which is vulnerable to additional security flaws, leaving them open to attacks. Cloud Detection & Response for Dummies Contain emerging threats in real time - before they impact your business. Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
Daily Brief Summary
A security flaw in the Post SMTP plugin for WordPress, affecting over 200,000 sites, enables hijacking of administrator accounts.
Post SMTP, which replaces the default wp_mail() function, boasts over 400,000 installations but has a critical vulnerability identified as CVE-2025-24000.
The vulnerability, due to inadequate access control in the plugin's API, allows even low-privileged users to view and exploit email logs.
Subscribers can exploit the flaw to perform password resets for administrators, intercepting reset emails and gaining unauthorized access.
The vulnerability was reported to PatchStack by a security researcher on May 23, and a fix was issued in version 3.3.0 of the plugin on June 11.
Despite the release of the patched version, only 48.5% of users have updated, leaving many sites exposed to potential security breaches.
Older versions, especially from the 2.x branch, are still in use on nearly 100,000 sites, posing additional security risks.