Serious flaws in the Post SMTP plugin put over 200,000 WordPress websites at risk of being hijacked. This plugin currently has over 400,000 installations, and is used to replace the default wp_mail() mail function to ensure stable mail delivery and more functionality.

WordPress.png

This dangerous vulnerability was assigned the identifier CVE -2025-24000 with a CVSS score of 8.8. The problem stems from an error in the access control mechanism at the plugin’s REST API endpoints. This is the part that will communicate the plugin to the WordPress system. Specifically, rather than carefully checking the user’s permissions before allowing access to sensitive functions, the system only confirms that the user is logged in. This means that even very low-level accounts such as Subscriber, which are only allowed to read articles or edit personal profiles, can access the system’s email logs.

The danger is that these diaries will not only store basic information, such as the subject line or when the email was sent, but they will also contain the entire contents of the email. Hackers can use the vulnerability to secretly monitor internal emails, including email instructions to reset passwords. With a low-level account and a few simple operations, an attacker can completely ask the system to send the password back to the admin account and then read the reset message in the log section. They can easily gain control of the website without having to go through additional protections. This is a simple yet effective behavior that is perfectly valid in the eyes of the system.

1753674546461.png

After receiving a warning from the security community, plugin developer Saad Iqbal quickly worked with security firm PatchStack to resolve the issue. The patch was released in Post SMTP version 3.3.0 on June 11. This update adds a user rights check mechanism in the get logs permission function, thus preventing unauthorized accounts from accessing sensitive data such as email logs.

However, the actual situation shows that the danger remains very great. Statistics from WordPress.org show that only about 48.5% of users have upgraded to a secure version. More than 200,000 websites still use vulnerable versions, enabling hackers to exploit from low-level accounts. Of note, about 96,800 of these websites are still running 2.x versions. These are very old, not only with the CVE-2025-24000 vulnerability, but also with many other security issues that have never been fixed.

This represents a huge threat lurking quietly in the WordPress community. Many websites are still not up to date, despite the availability of patches. This unintentionally created an “open door” for attackers, especially campaigns that took over administration from low-level accounts. In the face of increasingly common and sophisticated cyberattacks, delaying software updates for even a short time can come at the expense of a website’s reputation, data, and overall operations.

According to Bleeping Computer