Introduction
A critical security flaw has been discovered in the widely-used WordPress plugin Post SMTP, putting approximately 160,000 websites at risk. With a severity score of 8.8/10, this vulnerability demands immediate attention from site owners and administrators.
What You Need to Know
The vulnerability, identified as CVE-2025-24000, resides in the plugin’s REST API access control. Essentially, while the endpoint verified whether a user was logged in, it failed to check whether the user had sufficient permissions. This oversight allowed low-privileged users to access full email logs, reset admin passwords, and ultimately seize control of affected websites.
Affected Installations
Post SMTP boasts over 400,000 active installs. Alarmingly, around 40.2% of these sites (≈160,000 sites) are still running outdated, vulnerable versions. Website owners are strongly advised to verify their version and update to 3.3.0 or later immediately.
Why This Matters
WordPress, powering over half of all websites globally, is a major target for cybercriminals. While the core platform is generally secure, third-party plugins like Post SMTP often lack rigorous security protocols—making them prime exploit vectors.
Action Steps for Your Site Security
-
Update Now: Install version 3.3.0 (or newer) of Post SMTP without delay.
-
Audit User Permissions: Verify that only trusted users have admin-level access.
-
Maintain Minimal Plugins: Keep only essential plugins installed and ensure they’re regularly updated.
-
Backup Strategy: Use reliable tools like UpdraftPlus or Solid Backups to secure your data.
Conclusion
If you’re using Post SMTP or managing WordPress sites, act now: update the plugin, audit permissions, and reinforce overall security. This breach is a high-impact reminder that plugin security should never be sidelined.