More than 200,000 WordPress websites are using a weak version of the post SMTP plugin that allows hackers to control the administrator account.
Post is a popular email delivery plugin for SMTP WordPress that counts more than 400,000 active installations. This is marketed as a replacement of default ‘wp_mail ()The function that is more reliable and convenient-rich.
On 23 May, a security researcher reported vulnerability to WordPress Security Firm Patchstack. The defect is now identified as the CVE-2025-24000 and has received a moderate severity score of 8.8.
The safety issue affects all versions of the post SMTP up to 3.2.0 and is due to a broken access control mechanism in the Rest API Endpoints of the plugin, which only verify that if a user was logged in, without checking their permission level.
This means that low-privileged users, such as customers, can access email logs with full email material.
On weak sites, a customer can start a password reset for a administrator account, intercepting the reset email through the log, and can get the account control.
Source: Patchstack
The developer of the plugin, Saad Iqbal, was informed about the blame and responded with a fix for the patchstack to review on 26 May.
The solution ‘Get_logs_permission’ function was to include additional privilege checks that would validate the user permissions before giving access to sensitive API calls.
The fix was included in the Post SMTP version 3.3.0, which was published on 11 June.
Download the figures on WordPress.org Show that less than half of the plugin’s user base (48.5%) has updated at version 3.3. This means that more than 200,000 websites are unsafe for CVE-2025-24000.
A notable 24.2%, corresponding to 96,800 sites, still runs the post SMTP version from the 2.x branch, which is unsafe for additional safety flaws, causing them to open to attacks.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
