Threat actors could compromise over 200,000 WordPress sites' admin accounts by exploiting a high-severity Post SMTP plugin vulnerability, tracked as CVE-2025-24000, BleepingComputer reports.
All Post SMTP plugin versions up to 3.2.0 are affected by the bug, which stems from improper access control within the plugin's REST API endpoints and could be leveraged to facilitate total email log access even for low-privileged users, as well as allow admin account password resets, reset email interception, and eventual account takeovers, according to a security researcher who had reported the flaw in May. Only 48.5% of WordPress sites using the Post SMTP plugin have been updated to Post SMTP plugin version 3.3, which was released last month to resolve the security issue, according to statistics from WordPress.org. Within the remainder of sites using vulnerable iterations of the plugin, over 96,000 sites could be compromised in attacks involving other security vulnerabilities.
All Post SMTP plugin versions up to 3.2.0 are affected by the bug, which stems from improper access control within the plugin's REST API endpoints and could be leveraged to facilitate total email log access even for low-privileged users, as well as allow admin account password resets, reset email interception, and eventual account takeovers, according to a security researcher who had reported the flaw in May. Only 48.5% of WordPress sites using the Post SMTP plugin have been updated to Post SMTP plugin version 3.3, which was released last month to resolve the security issue, according to statistics from WordPress.org. Within the remainder of sites using vulnerable iterations of the plugin, over 96,000 sites could be compromised in attacks involving other security vulnerabilities.
