- The old versions of Post SMTP allowed the hackers to read all the emails
- They could also reset the administrator’s password and read the notification email, access the account
- More than 160,000 WordPress sites run the vulnerable version
A popular WordPress plugin with hundreds of thousands of active facilities has brought a vulnerability that allowed threat actors to take up compromise websites, experts warned.
The plugin is called Post SMTP, a tool that replaces WordPress’s default messaging function with an authenticated SMTP method, and currently has more than 400,000 active installations.
Patchstack safety researchers warned that an access control mechanism in the termination point of the plugin REST API was broken, only checking if a user was connected and does not check if he had authorizations to carry out certain actions, or not. Consequently, little-privileged users have been authorized to access email newspapers with complete e-mail content, which means that they were allowed to initiate a password reset on administration, to consult this email, then to connect as a administrator, by essentially taking control of the site.
Patcher the bug
The bug was spotted for the first time on May 23 and May 26, it has already been awarded to a CVE and a gravity score-followed as CVE-2025-24000, with an average gravity score of 8.8 / 10.
Looking at download statistics on WordPress.org, 59.8% of all SMTP installations publish versions 3.1 and more recent, which means that 40.2% of the sites are still vulnerable.
Since the plugin has more than 400,000 active installations, this means that around 160,000 websites can always be taken up using this method.
WordPress is the most popular website manufacturer in the world, feeding more than half of all sites on the Internet and, as such, is a popular target for cybercriminals.
However, as WordPress is generally considered a secure platform, crooks are focused on plugins and themes that do not have the same level of security or support.
This is why most cybersecurity professionals only recommend keeping the plugins and themes used and always ensure that they are up to date.
This number was resolved in version 3.3.0, published on June 11, 2025, so that users must update as soon as possible to ensure that they remain protected.
Via Bleeping Compompute
