More than 200,000 WordPress websites are currently vulnerable to a serious security flaw in the Post SMTP plugin, which could allow attackers to take over administrator accounts.

Post SMTP, a widely used plugin with over 400,000 active installations, is designed to improve email delivery in WordPress by replacing the default wp_mail() function. However, a critical vulnerability—tracked as CVE-2025-24000—has been discovered in versions up to 3.2.0, earning a severity score of 8.8.

The flaw was discovered by a security researcher and reported to PatchStack on May 23. It stems from broken access controls in the plugin’s REST API, where low-privileged users, such as Subscribers, could view email logs and intercept administrator password reset emails—ultimately gaining full control of the site.

“The API only checked if a user was logged in, not whether they had proper permissions,” PatchStack explained.

The plugin’s developer, Saad Iqbal, responded quickly and issued a fix in version 3.3.0, released on June 11, which included stricter permission checks in the API.

Despite the fix, WordPress.org stats show that only 48.5% of users have updated, leaving over 200,000 websites still running vulnerable versions. Alarmingly, about 24.2% (96,800 sites) are still using outdated 2.x versions that are prone to additional security issues.

Website administrators using Post SMTP are urged to immediately update to version 3.3.0 or later to protect their sites from potential exploits.


Buy ExpressVPN with PayPal or Credit Card
Advertisement
READ
Italy Dismantles CINEMAGOAL Piracy App That Offered Netflix, Disney+, Spotify Access