More than 200,000 WordPress sites are using a vulnerable version of the Post SMTP plugin, which allows attackers to gain control over the administrator account.
Post SMTP is a popular mail delivery plugin for WordPress, boasting over 400,000 active installations. It is positioned as a replacement for the standard wp_mail() function, offering greater reliability and broader capabilities.
In May 2025, an unnamed cybersecurity researcher reported a vulnerability to WordPress security specialists from the company PatchStack. The issue is currently assigned the identifier CVE-2025-24000 (8.8 on the CVSS scale).
The bug affects all versions of Post SMTP up to 3.2.0 and is related to a malfunctioning access control mechanism in the REST API endpoints. The mechanism only checked if a user was logged in, but did not verify their permission level.
As a result, low-privileged users (such as Subscribers) could gain access to email logs containing full versions of the messages. Even worse, on vulnerable sites, a low-privileged user could initiate a password reset for an administrator account, intercept the password reset email through the logs, and take control of the account.
The plugin developer was informed of the vulnerability on May 26, after which a patch was submitted to PatchStack for review. The solution involved adding additional privilege checks to the get_logs_permission function, which verifies user rights before granting access to sensitive API functions.
As a result, the fix was included in Post SMTP version 3.3.0, which was released on June 11, 2025. However, according to official WordPress.org statistics, less than half of the plugin’s users (48.5%) have upgraded to version 3.3 so far. This means that over 200,000 sites remain vulnerable to CVE-2025-24000.
Experts note that 24.2% of Post SMTP users are still using older 2.x versions, which are also vulnerable to other bugs.