Critical SMTP Plugin Flaw Puts 200K WordPress Sites at Risk

A critical vulnerability in the widely used Post SMTP plugin has exposed over 200,000 WordPress websites to potential administrator account takeovers. The flaw, tracked as CVE-2025-24000, allows attackers with minimal privileges to access sensitive email logs and hijack high-level accounts.

Post SMTP, a popular alternative to WordPress’ default email system, boasts more than 400,000 active installations. The plugin enhances email reliability and functionality, making it a preferred choice for many site owners. However, versions prior to 3.3.0 contain a serious security gap in their REST API endpoints.

The vulnerability stems from inadequate access controls. Instead of verifying user permissions, the plugin only checked whether a user was logged in. This oversight meant even low-level subscribers could view email logs containing confidential content, including password reset links. Attackers exploiting this flaw could intercept administrator emails, reset passwords, and seize control of entire websites.

Security researchers at PatchStack identified the issue on May 23 and alerted the developer, Saad Iqbal. A patch was submitted for review three days later, introducing stricter permission checks in the `getlogspermission` function. The fix was officially released in version 3.3.0 on June 11.

Despite the update, nearly half of Post SMTP users (48.5%) remain unprotected, still running outdated versions. Even more concerning, roughly 96,800 sites operate on vulnerable 2.x branch releases, exposing them to additional security risks.

Website administrators are urged to immediately update to Post SMTP 3.3.0 or later to mitigate the threat. Delaying patches could leave sites open to exploitation, risking data breaches and unauthorized access. Regularly monitoring plugin updates remains essential for maintaining robust security in WordPress environments.

(Source: BLEEPING COMPUTER)