- Post SMTP’s previous versions allowed computer pirates to read all emails
- They could also restore the administrator password and read the notification email, obtaining access to the account
- More than 160,000 WordPress sites are running the vulnerable version
A popular WordPress complement with hundreds of thousands of active facilities entailed a vulnerability that allowed threat actors to assume compromised websites, experts warned.
The complement is called Post SMTP, a tool that replaces WordPress’s default email function with an authenticated SMTP method, and currently has more than 400,000 active facilities.
Patchstack security researchers warned that an access control mechanism was broken at the end point of API Rest of the complement, only verified whether a user was recorded and did not verify if he had permits to do certain actions, or not. As a result, low privilege users were allowed to access email records with complete email content, which means that they were allowed to initiate a password restoration for the administration account, see that email and then log in as an administrator, essentially take care of the site.
Patch the error
The error was first seen on May 23, and by May 26, a CVE and a gravity score was already assigned, which was traced as CVE-2025-24000, with an average gravity score of 8.8/10.
Looking at download statistics at WordPress.org, 59.8% of all Post SMTP facilities are executing versions 3.1 and newer, which means that 40.2% of the sites are still vulnerable.
Since the complement has more than 400,000 active facilities, it means that around 160,000 websites can still take care of this method.
WordPress is the most popular website builder in the world, promoting more than half of all the Internet sites and, as such, is a popular objective for cybercriminals.
However, since WordPress is generally considered a safe platform, criminals focus on accessories and issues that do not have the same level of security or support.
That is why most cybersecurity professionals recommend only to maintain accessories and issues that are in use, and always make sure they are updated.
This problem was solved in version 3.3.0, published on June 11, 2025, so users must be updated as soon as possible to ensure that they remain protected.
Through Bleepingcomputer
