- Older versions of Post SMTP allowed hackers to read all emails
- They could also reset the admin password and read the notification email, gaining access to the account
- More than 160,000 WordPress sites are running the vulnerable version
A popular WordPress plugin with hundreds of thousands of active installations carried a vulnerability that allowed threat actors to take over compromised websites, experts have warned.
The plugin is called Post SMTP, a tool that replaces WordPress’s default email function with an authenticated SMTP method, and currently counts more than 400,000 active installations.
Security researchers PatchStack warned an access control mechanism in the plugin’s REST API endpoint was broken, only verifying if a user was logged in, and not checking whether they had permissions to do certain actions, or not. As a result, low-privileged users were allowed access to email logs with full email contents, meaning they were allowed to initiate a password reset for the admin account, view that email, and then log in as the admin, essentially taking over the site.
Patching the bug
The bug was first spotted on May 23, and by May 26, it was already assigned a CVE and a severity score – being tracked as CVE-2025-24000, with a medium severity score of 8.8/10.
Looking at the download statistics on WordPress.org, 59.8% of all Post SMTP installations are running versions 3.1 and newer, meaning 40.2% of sites are still vulnerable.
Since the plugin has more than 400,000 active installations, it means around 160,000 websites can still be taken over using this method.
WordPress is the most popular website builder in the world, powering more than half of all sites on the internet and as such, is a popular target for cybercriminals.
However, since WordPress is generally considered a secure platform, crooks are focused on plugins and themes which don’t have the same level of security or support.
That is why most cybersecurity professionals recommend only keeping the plugins and themes that are in use, and always making sure they are up to date.
This issue was fixed in version 3.3.0, published on June 11, 2025, so users should update as soon as possible to ensure they stay protected.
Via BleepingComputer
