Home » Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks
Security

Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks

by Wikdaily
written by Wikdaily 0 comments
Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks

More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.

Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich.

On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8.

The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin’s REST API endpoints, which only verified if a user was logged in, without checking their permission level.

This means that low-privileged users, such as Subscribers, could access email logs containing full email content.

On vulnerable sites, a subscriber could initiate a password reset for an Administrator account, intercept the reset email via the logs, and gain control of the account.

The vulnerable code
Source: PatchStack

The plugin’s developer, Saad Iqbal, was informed about the flaw and responded with a fix for Patchstack to review on May 26.

The solution was to incorporate additional privilege checks in the ‘get_logs_permission’ function that would validate a user’s permissions before giving access to sensitive API calls.

The fix was incorporated into Post SMTP version 3.3.0, which was published on June 11.

Download statistics on WordPress.org show that less than half of the plugin’s user base (48.5%) has updated to version 3.3. This means that more than 200,000 websites are vulnerable to CVE-2025-24000.

A notable 24.2%, corresponding to 96,800 sites, still run Post SMTP versions from the 2.x branch, which is vulnerable to additional security flaws, leaving them open to attacks.

Contain emerging threats in real time – before they impact your business.

Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.

Get the Guide

You Might Also Like

You may also like

Allianz Life confirms data breach impacts majority of 1.4 million customers

ToolShell attacks hit organizations worldwide

Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access

Microsoft lifts Windows 11 update block for Easy Anti-Cheat users

Overcoming Risks from Chinese GenAI Tool Usage

The role of the cybersecurity PM in incident-driven development

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Welcome to WikDaily, your trusted source for the latest news, trends, and insights across the globe. We are a dynamic blog-style news platform committed to delivering fast, accurate, and engaging content across a variety of topics—from breaking headlines to deep dives into tech, business, entertainment, travel, sports, and more.

Facebook Instagram X-twitter

Useful Links

Edtior's Picks

‘Fantasist’ promised music stars for festival that never happened
LA Sparks’ Cameron Brink nears return after 13-month ACL recovery
Should Wyoming authorize additional nuclear waste sites?

Latest Articles

‘Fantasist’ promised music stars for festival that never happened
LA Sparks’ Cameron Brink nears return after 13-month ACL recovery
Should Wyoming authorize additional nuclear waste sites?
Claressa Shields Vs. Lani Daniels Results, Highlights And Reactions

wikdaily 2025. Designed and Developed by Pro