A vulnerability in a popular email delivery WordPress plugin is affected by a critical vulnerability that can be exploited to take full control of affected websites.
The impacted plugin is Post SMTP, which is actively used on more than 400,000 WordPress websites for sending emails.
A researcher discovered in May that the plugin is affected by a serious broken access control issue allowing any registered user, including subscribers, to gain access to sensitive data. The security hole is tracked as CVE-2025-24000.
According to WordPress security firm Patchstack, which coordinated the disclosure of the flaw, an attacker can exploit the vulnerability to view email statistics, resend emails, and access email logs, which include the body of the email.
These email logs can include password reset emails sent to any user, including administrators, which enables the attacker to reset the password for such accounts and take full control of the targeted website.
Post SMTP developers patched the vulnerability on June 11 with the release of version 3.3.
Data from Post SMTP’s statistics page on WordPress.org shows that less than half of the more than 400,000 active installations have been updated to version 3.3, which indicates that more than 200,000 websites may still be vulnerable to attacks.
It’s important that WordPress website administrators keep their plugins up to date as threat actors often exploit plugin and theme vulnerabilities to hack sites.
Related: Hackers Inject Malware Into Gravity Forms WordPress Plugin
Related: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
