In a recent security alert, researchers at Patchstack have uncovered a critical vulnerability in the widely used Post SMTP plugin for WordPress, exposing websites utilizing it to the risk of hijacking and complete site takeover.
Post SMTP is a popular plugin designed to enhance email delivery on WordPress sites, replacing the default email function with more reliable and feature-rich options. With over 400,000 active installations, it’s a trusted tool among developers and site owners.
A security flaw, tracked as CVE-2025-24000, has been discovered that affects all versions up to 3.2.0. This bug stems from improper access controls in the plugin’s REST API endpoints, which are intended to handle tasks like email logging and DNS validation.
The vulnerability allows low-privileged users, such as subscribers, to access sensitive email logs without proper permission checks. Exploiting this flaw, an attacker could:
- View email logs containing sensitive information
- Intercept password reset emails
- Use this information to hijack administrator accounts
- Ultimately take full control of the site
This means that a malicious actor with limited user privileges could escalate their access and compromise the entire website.
Site administrators are strongly urged to update to version 3.3.0 immediately to protect their sites. Additionally, those still running versions from the 2.x branch are at even higher risk, as those versions are more susceptible to security flaws.
Keeping WordPress-based website(s) secure isn’t just about fixing problems when they happen but also staying on top of things all the time. Regularly updating plugins and themes is essential, but it’s also important to review user permissions, monitor logs for any unusual activity, and stay informed through trusted security advisories. Supporting reputable developers and ensuring that plugins are actively maintained can help catch vulnerabilities early. Protecting your website is an ongoing process that requires consistent attention and adaptation as new threats emerge.
Learn more about the findings on Patchstack’s official post here.
Leave a Reply