Due to a Bug in Post SMTP Plugin, 200,000 WordPress Sites Vulnerable to Attacks

📟 News

Date: 29/07/2025

More than 200,000 WordPress sites are using a vulnerable version of the Post SMTP plugin, which allows attackers to gain control over the administrator account.

Post SMTP is a popular mail delivery plugin for WordPress, boasting over 400,000 active installations. It is positioned as a replacement for the standard wp_mail() function, offering greater reliability and broader capabilities.

In May 2025, an unnamed cybersecurity researcher reported a vulnerability to WordPress security specialists from the company PatchStack. The issue is currently assigned the identifier CVE-2025-24000 (8.8 on the CVSS scale).

The bug affects all versions of Post SMTP up to 3.2.0 and is related to a malfunctioning access control mechanism in the REST API endpoints. The mechanism only checked if a user was logged in, but did not verify their permission level.

As a result, low-privileged users (such as Subscribers) could gain access to email logs containing full versions of the messages. Even worse, on vulnerable sites, a low-privileged user could initiate a password reset for an administrator account, intercept the password reset email through the logs, and take control of the account.

The plugin developer was informed of the vulnerability on May 26, after which a patch was submitted to PatchStack for review. The solution involved adding additional privilege checks to the get_logs_permission function, which verifies user rights before granting access to sensitive API functions.

As a result, the fix was included in Post SMTP version 3.3.0, which was released on June 11, 2025. However, according to official WordPress.org statistics, less than half of the plugin’s users (48.5%) have upgraded to version 3.3 so far. This means that over 200,000 sites remain vulnerable to CVE-2025-24000.

Experts note that 24.2% of Post SMTP users are still using older 2.x versions, which are also vulnerable to other bugs.

Related posts:
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →