Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks

    Karlston

    By Karlston,
    Published Date:

    • 464 views
    • 2 minutes
     Share
    • 464 views
    • 2 minutes

    More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.

     

    Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich.

     

    On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8.

     

    The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin’s REST API endpoints, which only verified if a user was logged in, without checking their permission level.

     

    This means that low-privileged users, such as Subscribers, could access email logs containing full email content.

     

    On vulnerable sites, a subscriber could initiate a password reset for an Administrator account, intercept the reset email via the logs, and gain control of the account.

    The vulnerable code
    The vulnerable code
    Source: PatchStack

    The plugin’s developer, Saad Iqbal, was informed about the flaw and responded with a fix for Patchstack to review on May 26.

     

    The solution was to incorporate additional privilege checks in the ‘get_logs_permission’ function that would validate a user’s permissions before giving access to sensitive API calls.

     

    The fix was incorporated into Post SMTP version 3.3.0, which was published on June 11.

     

    Download statistics on WordPress.org show that less than half of the plugin's user base (48.5%) has updated to version 3.3. This means that more than 200,000 websites are vulnerable to CVE-2025-24000.

     

    A notable 24.2%, corresponding to 96,800 sites, still run Post SMTP versions from the 2.x branch, which is vulnerable to additional security flaws, leaving them open to attacks.

     

    Source

    Hope you enjoyed this news post.

    Posted Sunday 27 July 2025 at 1:14 pm AEST (my time).

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

    RIP Matrix | Farewell my friend  

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...