What is the Post SMTP WordPress plugin?

Post SMTP is a popular WordPress plugin used for sending emails from WordPress websites. It provides enhanced email delivery capabilities and is installed on over 400,000 WordPress websites worldwide, making it one of the widely-used email plugins in the WordPress ecosystem.

What can attackers do with the Post SMTP vulnerability?

Attackers with Subscriber-level accounts can view email count statistics, resend emails, and access detailed email logs containing complete email bodies, which may include password reset links. By viewing password reset emails, a Subscriber-level user could reset an Administrator's password and gain complete control over the website.

How many websites are affected by CVE-2025-24000?

Over 400,000 websites using the Post SMTP WordPress plugin are potentially affected. Download statistics show that less than half (48.5%) have updated to the patched version, meaning more than 200,000 websites remain vulnerable. About 96,800 sites still run versions from the 2.x branch, which have additional security flaws.

Is there a patch available for the Post SMTP vulnerability?

Yes, the vulnerability has been patched in Post SMTP version 3.3.0, which was released on June 11, 2025. Website administrators should update to this version immediately to protect their sites from potential account takeover attacks.

What is the CVSS score for CVE-2025-24000?

CVE-2025-24000 has been assigned a CVSS score of 8.8, which is considered high severity. This score reflects the significant impact potential, as the vulnerability can lead to complete website compromise through account takeover attacks.

How many Post SMTP users have updated to the secure version?

According to WordPress.org download statistics, only 48.5% of the plugin's user base has updated to the patched version 3.3.0. This means that more than 200,000 websites remain vulnerable to CVE-2025-24000, with about 96,800 sites still running the older 2.x branch versions.

What should WordPress administrators do about this vulnerability?

Website administrators using the Post SMTP plugin should update to version 3.3.0 immediately to protect against CVE-2025-24000. They should also review their user accounts and permissions, especially for Subscriber-level accounts, and monitor for any suspicious email activity or unauthorized access attempts.

Are older Post SMTP versions affected by additional vulnerabilities?

Yes, about 24.2% of installations (approximately 96,800 sites) still run Post SMTP versions from the 2.x branch, which are vulnerable to additional security flaws beyond CVE-2025-24000. This makes updating to version 3.3.0 even more critical for comprehensive security protection.

What type of information can be accessed through this Post SMTP vulnerability?

Through this vulnerability, attackers can access email count statistics, detailed email logs containing complete email bodies, and the ability to resend emails. Most critically, they can view password reset emails and other sensitive communications that could lead to account compromise and website takeover.

Advisory

Account takeover flaw reported in widely used Post SMTP Plugin

Q: What is the Post SMTP WordPress plugin security vulnerability?

A security vulnerability tracked as CVE-2025-24000 (CVSS score 8.8) has been discovered in the widely-used Post SMTP WordPress plugin, potentially exposing over 400,000 websites to account takeover attacks. The vulnerability is caused by broken access control in the plugin's REST API endpoints.

Q: How does the CVE-2025-24000 vulnerability work?

The vulnerability is caused by broken access control in the plugin's REST API endpoints. These endpoints only validated whether a user was logged into the system, without verifying their actual privileges or permissions level. This allows any registered user, including those with basic Subscriber-level accounts, to view email statistics, resend emails, and access detailed email logs.

published: July 28, 2025

Take action: If you use the Post SMTP WordPress plugin, immediately update to version 3.3.0 or newer. Any logged-in user can hijack admin accounts. There is no workaround to this and updating the plugin is easy, so don't delay.

Learn More

A security vulnerability has been discovered in the widely-used Post SMTP WordPress plugin, potentially exposing over 400,000 websites to account takeover attacks.

The vulnerability is tracked as CVE-2025-24000 (CVSS score 8.8) and is caused by broken access control in the plugin's REST API endpoints. These endpoints only validated whether a user was logged into the system, without verifying their actual privileges or permissions level. This flaw allows any registered user, including those with basic Subscriber-level accounts to view email count statistics, resend emails, and access detailed email logs containing complete email bodies which may contain password reset links.

By viewing a password reset emails, a Subscriber-level user could reset the password of an Administrator account and gain complete control over the website.

The vulnerability has been patched in Post SMTP version 3.3.0, which was released on June 11, 2025.

Download statistics on WordPress.org show that less than half of the plugin's user base (48.5%) has updated to version 3.3.0, meaning that more than 200,000 websites remain vulnerable to CVE-2025-24000. About 24.2%, corresponding to 96,800 sites, still run Post SMTP versions from the 2.x branch, which is vulnerable to additional security flaws

Website administrators should update to version 3.3.0 immediately.

Account takeover flaw reported in widely used Post SMTP Plugin

Read More
Critical Privilege Escalation in Modular DS WordPress Plugin …
SQL injection flaw reported in dingfanzu CMS
WordPress malware campaign disguised as legitimate Security Plugin
Active exploitation of critically vulnerable WordPress Motors theme
Critical flaw reported in InstaWP Connect WordPress plugin