1
WordPress admins need to update their websites with the latest Post SMTP plugin release, as the plugin exhibited a serious vulnerability. Specifically, the Post SMTP plugin flaw could allow an adversary to take over the target site’s admin accounts. Considering the widespread usage of this plugin in WordPress websites, this vulnerability posed a threat to over 400,000 websites.
Account Takeover Flaw Patched In Post SMTP WordPress Plugin
According to a recent post from Patchstack, a serious vulnerability existed in the WordPress plugin Post SMTP. Exploiting this vulnerability could let the adversary gain elevated privileges on the target website by taking over admin accounts.
As explained, the issue existed due to multiple Broken Access Control vulnerabilities in the plugin’s REST API endpoints. Because of these vulnerabilities, the plugin only recognized a logged-in user, without validating the user’s privileges to perform an action. This potentially allowed a logged-in adversary with low privileges (including a Subscriber-level user) to gain elevated privileges and perform unauthorized actions.
This allowed any registered user (including Subscriber-level users who should have no privileges at all) to perform a variety of actions, including: viewing email count statistics, resending emails, and most dangerously, viewing detailed email logs including the entire email body.
The ability to access this detailed information allows a Subscriber-level user to intercept any email sent by the WordPress website, including password reset emails to any user.
Specifically, the issue existed with the get_logs_permission function, which only checked for user permission, without a REST callback to perform additional checks. Thus, an authorized user would be granted access to any REST API. Consequently, such explicit access eventually allowed the attacker to take over admin accounts and the website.
Update Your Websites With The Latest Post SMTP Version
These vulnerabilities affected the plugin versions 3.2.0 and below. Tracked as CVE-2025-24000, the flaws caught the attention of Denver Jackson, who then reported the bug via the Patchstack Zero Day bug bounty program for WordPress. Following the bug report, the plugin developers patched the vulnerability with version 3.3.0, urging Post SMTP WordPress users to update to this or later releases.
Post SMTP is a popular WordPress plugin for email delivery, letting site admins set up SMTP mailer services. The plugin also supports various features to facilitate sending emails via WordPress, such as email logging, DNS validation, OAuth 2.0 Support, and fallback mailing.
According to the plugin’s WordPress listing, it currently boasts over 400,000 active installations, indicating the sheer number of WordPress users using the plugin. At the same time, this huge number of installations also indicates the extent of the threat due to any unpatched vulnerabilities in the plugin. Hence, all users must ensure that they update their sites with the latest plugin releases to receive all fixes.
Let us know your thoughts in the comments.
