Post SMTP plugin flaw exposes 200K WordPress web sites to hijacking assaults
Cybersecurity expert
Bigger than 200,000 WordPress web sites are the utilization of a inclined version of the Post SMTP plugin that allows hackers to rob retain a watch on of the administrator narrative.
Post SMTP is a popular email shipping plugin for WordPress that counts bigger than 400,000 energetic installations. It’s marketed as a replacement of the default ‘wp_mail()’ purpose that’s more official and purpose-rich.
On Would possibly maybe well well impartial 23, a security researcher reported the vulnerability to WordPress security agency PatchStack. The flaw is now in most cases known as CVE-2025-24000 and bought a medium severity rating of 8.8.
The safety downside impacts all variations of Post SMTP up to 3.2.0 and is ensuing from a broken gain admission to retain a watch on mechanism within the plugin’s REST API endpoints, which easiest verified if a user became logged in, with out checking their permission level.
This means that low-privileged users, similar to Subscribers, can even gain admission to email logs containing fat email whine material.
On inclined web sites, a subscriber can even originate a password reset for an Administrator narrative, intercept the reset email via the logs, and create retain a watch on of the narrative.
The inclined code Supply: PatchStack
The plugin’s developer, Saad Iqbal, became told about the flaw and answered with a fix for Patchstack to learn on Would possibly maybe well well impartial 26.
The solution became to incorporate further privilege assessments within the ‘get_logs_permission’ purpose that would possibly well well validate a user’s permissions sooner than giving gain admission to to sensitive API calls.
The fix became integrated into Post SMTP version 3.3.0, which became published on June 11.
Secure statistics on WordPress.org point to that no longer up to half of of the plugin’s user unsuitable (48.5%) has up so some distance to version 3.3. This means that bigger than 200,000 web sites are inclined to CVE-2025-24000.
A indispensable 24.2%, similar to 96,800 web sites, still scurry Post SMTP variations from the 2.x branch, which is inclined to further security flaws, leaving them inaugurate to assaults.
CISOs know that getting board aquire-in starts with a clear, strategic appreciate of how cloud security drives industry fee.
This free, editable board file deck helps security leaders demonstrate threat, affect, and priorities in roam industry terms. Flip security updates into indispensable conversations and sooner possibility-making within the boardroom.
