400,000 WordPress Websites Exposed by Post SMTP Plugin Vulnerability
A critical security vulnerability has been discovered in the popular Post SMTP plugin for WordPress, potentially exposing over 400,000 websites to account takeover attacks.
The vulnerability, tracked as CVE-2025-24000, affects versions 3.2.0 and below of the plugin, allowing even low-privileged users to access sensitive email data and ultimately gain administrative control of affected websites as per a report by Patchstack.
Vulnerability Details and Impact
The Post SMTP plugin, developed by Saad Iqbal of WPExperts, serves as an email delivery solution that enables site owners to configure custom mailer services with features including email logging, DNS validation, and OAuth support.
However, a fundamental flaw in the plugin’s access control mechanism has created a significant security risk for its substantial user base.
| Field | Details |
| CVE ID | CVE-2025-24000 |
| Vulnerability Type | Broken Access Control / Account Takeover |
| CVSS Score | Not yet assigned |
| Severity | Critical |
| Affected Software | Post SMTP WordPress Plugin |
| Affected Versions | 3.2.0 and below |
The vulnerability stems from broken access control in the plugin’s REST API endpoints. In affected versions, these endpoints only validated whether a user was logged into the system, without verifying their actual privileges or permissions level.
This critical oversight allowed any registered user, including those with basic Subscriber-level accounts who typically have no administrative privileges, to perform unauthorized actions.
The compromised functionality includes viewing email count statistics, resending emails, and most dangerously, accessing detailed email logs containing complete email bodies.
This unauthorized access creates a pathway for account takeover attacks, as malicious users can intercept password reset emails and other sensitive communications intended for higher-privileged users, including site administrators.
The security flaw originated in the get_logs_permission function within the plugin’s REST API implementation.
Each REST route relied solely on this function for permission validation, which contained only a basic is_user_logged_in() check.
The function failed to incorporate additional privilege verification, such as confirming whether users possessed the necessary manage_options capability typically reserved for administrators.
This inadequate permission structure enabled any authenticated user to access REST API endpoints like /get-details, which could retrieve sensitive email transaction data without proper authorization.
The vulnerability effectively bypassed WordPress’s built-in user role and capability system, creating an unauthorized administrative backdoor.
The vulnerability has been successfully patched in Post SMTP version 3.3.0, released to address this critical security issue.
The updated version implements proper privilege checking within the get_logs_permission function, ensuring only users with appropriate administrative capabilities can access sensitive email management features.
Immediate action is required for all Post SMTP users running versions 3.2.0 or earlier. Website administrators should update to version 3.3.0 immediately to protect against potential exploitation.
Additionally, site owners should review their user accounts and access logs for any suspicious activity that may have occurred before the patch implementation.
This incident underscores the importance of implementing comprehensive permission validation in WordPress plugins, particularly those handling sensitive data like email communications.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
