- Older versions of Post SMTP enabled hackers to read all E -emails
- They could also reset the administrator password and read the message -e email, access the account
- More than 160,000 WordPress -Webot runs the vulnerable version
A popular WordPress plugin with hundreds of thousands of active installations had a vulnerability that allowed threat players to take over compromised sites, experts have warned.
Plugin is called Post SMTP, a tool that replaces WordPress’s Standard -e -Mail feature with an approved SMTP method and currently counts more than 400,000 active installations.
Security researchers Patchstack warned of an access control mechanism in the plugin’s residual API end point was broken, only verification of whether a user was logged in and did not check whether they had permissions to perform certain actions or not. As a result, users with low privileged access to e-mail logs with full email content, which means they were allowed to start a password reset to the Admin account, see that email and then log in as the administrator, essentially take over the site.
Patching of the error
The belly was first discovered on May 23, and on May 26, it was already awarded a cve and a difficulty-degree-which was tracked as CVE-2025-24000, with a medium-sized severity score of 8.8/10.
Looking at the download statistics at WordPress.org, 59.8% of all Post SMTP installations run versions 3.1 and newer, which means that 40.2% of sites are still vulnerable.
Since plugin has more than 400,000 active installations, it means that around 160,000 sites can still be taken over using this method.
WordPress is the most popular site builder in the world that drives more than half of all sites on the Internet and as such is a popular target for cyber criminals.
However, since WordPress is generally considered a secure platform, however, Crooks is focused on plugins and themes that do not have the same level of security or support.
That is why most cybersecurity professionals only recommend keeping the plugins and themes in use, and always make sure they are up to date.
This number was corrected in version 3.3.0, published on June 11, 2025, so users had to update as soon as possible to ensure they remain protected.
Via Bleeping computer
