Attention WordPress Users! A significant security vulnerability has been uncovered in the widely-used Post SMTP plugin, jeopardizing the safety of over 200,000 WordPress websites from potential hijacking by malicious attackers.
The Post SMTP plugin, preferred by many for its enhanced reliability and rich features, is installed on more than 400,000 active websites. It serves as a robust alternative to the default wp_mail() function, providing users with reliable email-sending capabilities.
This alarming security flaw, identified as CVE-2025-24000, was reported to PatchStack on May 23 and carries a high severity score of 8.8.
All versions of the plugin up to 3.2.0 are affected. The issue stems from a broken access control within the plugin’s REST API, which fails to adequately verify user roles. As a result, even users with the lowest privileges, such as Subscribers, can access complete email logs on the site.
This means that an attacker could exploit a simple subscriber account to initiate a password reset for an Administrator, view the email logs to retrieve the reset email, and use that link to change the admin password, ultimately seizing control of the entire site.
Fortunately, the plugin developer, Saad Iqbal, was promptly alerted about the issue and worked diligently to create a fix. On May 26, a patch was reviewed by PatchStack, which introduced proper permission checks to ensure that only authorized users can access sensitive API features, including email logs. This vital fix was rolled out in version 3.3.0, released on June 11.
Despite the availability of this crucial update, less than half of the plugin users have transitioned to the secure version. Currently, approximately 48.5% have upgraded, leaving over 200,000 sites still vulnerable. Alarmingly, around 96,800 sites continue to operate on version 2.x of the plugin, which harbors even greater security risks.
If you currently utilize the Post SMTP plugin, it is imperative that you check your version immediately. Upgrade to version 3.3.0 or later to safeguard your site against this vulnerability. Additionally, take the time to review your user roles and email log access settings to ensure that sensitive data remains secure.
