Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Critical vulnerability in WordPress Post SMTP plugin: over 200,000 sites at risk

Redazione RHC : 28 July 2025 15:49

Over 200,000 WordPress sites are vulnerable to a critical flaw in the popular Post SMTP plugin, allowing attackers to gain full control of the administrator account. The vulnerability has been assigned the identifier CVE-2025-24000 and affects all versions of the plugin up to and including 3.2.0. At the time of publication, the fix has been installed on fewer than half of the systems using this component.

Post SMTP is a tool for securely sending emails from WordPress sites, replacing the built-in wp_mail() function. Over 400,000 installations make it one of the most popular solutions in its category. However, in May 2025, PatchStack specialists received a report that the plugin’s REST API had incorrect access control logic. Instead of verifying user rights, the system limited itself to authorization only, allowing even low-privileged visitors, such as subscribers, to access protected data.

In particular, a subscriber could trigger an administrator password reset and intercept the corresponding email via email logs, access to which was not restricted. This created a loophole to take control of the site’s entire admin panel without the need to exploit third-party vulnerabilities or physically access the server.

The issue was reported to developer Saad Iqbal on May 23. Three days later, he provided an updated implementation of the get_logs_permission function, which implemented a full user rights check before accessing the API. The fixed version, 3.3.0, was released on June 11.

Despite the update, WordPress.org statistics show an alarming situation: over 51% of sites are still using vulnerable versions. The situation is particularly dangerous for users of version 2.x: an estimated 96,800 sites continue to use these versions, which contain not only the CVE-2025-24000 vulnerability, but also other known security flaws.

The issue highlights the systemic vulnerability of the WordPress ecosystem, where even the most important security updates are not installed immediately. Given the ease of exploitation and widespread use of the plugin, it is expected that attacks on unprotected resources will continue and become more widespread. Eliminating the threat requires an immediate update to version 3.3.0 or higher.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr