5/5 - (1 vote)

Another wake-up call has sounded in the world of WordPress development and administration: over 200,000 websites are still using an outdated and vulnerable version of the Post SMTP plugin, despite a critical flaw that allows attackers to gain full control over administrator accounts.

What Is Post SMTP and Why Does It Matter?

Post SMTP is one of the most popular plugins for configuring and sending emails on WordPress sites. It’s installed on more than 400,000 websites worldwide. The plugin is seen as a more reliable and functional alternative to the default wp_mail() function and is often used for integrating with external email services and logging outgoing messages.

However, popularity doesn’t always equal security.

Vulnerability CVE-2025-24000: How It Works

On May 23, cybersecurity researchers reported a critical vulnerability, assigned CVE-2025-24000 with a high severity rating of 8.8 on the CVSS scale.

The issue lies in improper access control in the plugin’s REST API: it only checked if the user was logged in, without verifying the user’s permission level. This meant that even users with minimal privileges (such as subscribers) could access sensitive data — including logs of outgoing emails containing full message content.

Worse still, a malicious user could initiate a password reset for the administrator account, intercept the reset email via the logs, and fully take over the site.

How the Developers Responded

To their credit, the Post SMTP developers reacted promptly. On May 26, they submitted a patched version of the plugin for review. The fix introduced additional permission checks in the get_logs_permission method to prevent unauthorized access to sensitive API calls.

The secure version, Post SMTP 3.3.0, was released on June 11.

Why This Is Still a Problem

Despite the fix and multiple warnings from the cybersecurity community, the problem remains serious. According to WordPress statistics, only 48.5% of plugin users have updated to the secure version, which means that over 200,000 websites are still running vulnerable versions.

Even more concerning, about half of them are using the outdated 2.x branch, which contains not only this vulnerability but several other known issues.

This creates ideal conditions for a large-scale hacking campaign, where one plugin can serve as an entry point to completely compromise a site.

What WordPress Site Owners Should Do

If you’re using the Post SMTP plugin, check your version immediately. If it’s below 3.3.0 — update to the latest version without delay.

Also consider the following steps:

  • Review email logs for suspicious activity;

  • Ensure that subscribers and other low-privilege users have no access to admin features;

  • Enable two-factor authentication for all administrator accounts;

  • Regularly audit your installed plugins and remove unused or outdated ones.

In Conclusion

This situation is another clear reminder of the importance of keeping your plugins and software up to date. A single vulnerable component can open the door to severe consequences — from data leaks to complete site takeovers.

Stay updated, monitor your permissions, and don’t delay securing your website.

Related posts:

  1. CVE-2024-5326 WordPress Post Grid Gutenberg і PostX = 4.1.2: A Comprehensive Analysis
  2. A critical vulnerability has been discovered in the WPLMS WordPress theme
  3. CVE-2024-10793 WordPress
  4. Exploit for critical Zabbix vulnerability – CVE-2024-42327 (CVSS 9.9)