Put up SMTP plugin flaw exposes 200K WordPress websites to hijacking assaults

Greater than 200,000 WordPress web sites are utilizing a weak model of the Put up SMTP plugin that permits hackers to take management of the administrator account.

Put up SMTP is a well-liked e mail supply plugin for WordPress that counts greater than 400,000 lively installations. It’s marketed as a substitute of the default ‘wp_mail()’ operate that’s extra dependable and feature-rich.

On Could 23, a security researcher reported the vulnerability to WordPress security agency PatchStack. The flaw is now recognized as CVE-2025-24000 and obtained a medium severity rating of 8.8.

The security subject impacts all variations of Put up SMTP as much as 3.2.0 and is because of a damaged entry management mechanism within the plugin’s REST API endpoints, which solely verified if a person was logged in, with out checking their permission stage.

Which means low-privileged customers, resembling Subscribers, may entry e mail logs containing full e mail content material.

On weak websites, a subscriber may provoke a password reset for an Administrator account, intercept the reset e mail by way of the logs, and acquire management of the account.

The plugin’s developer, Saad Iqbal, was knowledgeable concerning the flaw and responded with a repair for Patchstack to evaluate on Could 26.

The answer was to include extra privilege checks within the ‘get_logs_permission’ operate that may validate a person’s permissions earlier than giving entry to delicate API calls.

The repair was integrated into Put up SMTP model 3.3.0, which was printed on June 11.

Obtain statistics on WordPress.org present that lower than half of the plugin’s person base (48.5%) has up to date to model 3.3. Which means greater than 200,000 web sites are weak to CVE-2025-24000.

A notable 24.2%, comparable to 96,800 websites, nonetheless run Put up SMTP variations from the two.x department, which is weak to extra security flaws, leaving them open to assaults.