A significant security flaw has been discovered in Post SMTP, a widely used WordPress plugin with over 400,000 active installations designed to enhance email reliability. The vulnerability, identified as CVE-2025-24000, carries a high-severity score of 8.8 and affects all versions of the plugin up to 3.2.0. With less than half of the user base having applied the necessary update, more than 200,000 websites currently remain exposed to attacks that could allow hackers to gain full administrative control.
The core of the issue lies in a broken access control mechanism within the plugin’s REST API. The vulnerable code correctly checked if a user was logged into the WordPress site but failed to verify their specific permission level. This oversight means that any authenticated user, including those with the lowest privileges like a “Subscriber,” could gain unauthorized access to sensitive functions, most notably the email logs which can contain the full content of all emails sent from the website.
A malicious actor can exploit this vulnerability with relative ease. By creating a low-level subscriber account on a target website, the attacker can initiate a password reset request for an administrator’s account. They can then use the access control flaw to view the site’s email logs, intercept the password reset email containing the unique reset link, and use it to set a new password. This simple process gives the attacker complete control over the administrator account and, consequently, the entire WordPress site. hijacking the high-privilege account, effectively taking control of the entire website.
Discovery and Patching Process
The vulnerability was responsibly disclosed to the WordPress security firm PatchStack on May 23. The plugin’s developer, Saad Iqbal, was promptly notified and responded with a fix for review just three days later, on May 26. The solution involved adding crucial privilege checks to the get_logs_permission function, ensuring that only authorized users can access the sensitive API endpoints. This fix was officially released to the public in Post SMTP version 3.3.0 on June 11.
Urgent Call to Update
Despite the availability of a patch, download statistics from WordPress.org show a concerningly slow adoption rate. Currently, only 48.5% of users have updated to the secure version, leaving over 200,000 sites vulnerable. Furthermore, a notable 24.2% of installations, equivalent to nearly 97,000 sites, are still running much older versions from the 2.x branch, which contain this and other security flaws. Administrators using the Post SMTP plugin are strongly urged to update to version 3.3.0 or newer without delay to protect their websites from this critical threat.
Reference:
