Greater than 200,000 WordPress web sites are utilizing a weak model of the Put up SMTP plugin that enables hackers to take management of the administrator account.
Put up SMTP is a well-liked e mail supply plugin for WordPress that counts greater than 400,000 energetic installations. It’s marketed as a substitute of the default ‘wp_mail()’ perform that’s extra dependable and feature-rich.
On Might 23, a safety researcher reported the vulnerability to WordPress safety agency PatchStack. The flaw is now recognized as CVE-2025-24000 and obtained a medium severity rating of 8.8.
The safety difficulty impacts all variations of Put up SMTP as much as 3.2.0 and is because of a damaged entry management mechanism within the plugin’s REST API endpoints, which solely verified if a person was logged in, with out checking their permission degree.
Because of this low-privileged customers, similar to Subscribers, may entry e mail logs containing full e mail content material.
On weak websites, a subscriber may provoke a password reset for an Administrator account, intercept the reset e mail by way of the logs, and acquire management of the account.
Supply: PatchStack
The plugin’s developer, Saad Iqbal, was knowledgeable in regards to the flaw and responded with a repair for Patchstack to evaluate on Might 26.
The answer was to include extra privilege checks within the ‘get_logs_permission’ perform that will validate a person’s permissions earlier than giving entry to delicate API calls.
The repair was integrated into Put up SMTP model 3.3.0, which was revealed on June 11.
Obtain statistics on WordPress.org present that lower than half of the plugin’s person base (48.5%) has up to date to model 3.3. Because of this greater than 200,000 web sites are weak to CVE-2025-24000.
A notable 24.2%, equivalent to 96,800 websites, nonetheless run Put up SMTP variations from the two.x department, which is weak to extra safety flaws, leaving them open to assaults.
Comprise rising threats in actual time – earlier than they affect your online business.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
