273/68 Wednesday, July 30, 2025
Security researchers from Patchstack have disclosed a critical vulnerability in the popular Post SMTP plugin for WordPress, which is used by over 400,000 websites globally to manage email delivery. The flaw, tracked as CVE-2025-24000, stems from a Broken Access Control issue that allows unauthorized access to sensitive data by low-privileged users-such as subscribers-who should not have such permissions.
According to the report, attackers can exploit this flaw to view email statistics, resend messages, and access email logs that may contain sensitive content-including administrator password reset notifications. With this information, an attacker could potentially reset an admin password and gain full control of the website. A patch to fix this vulnerability was released in version 3.3 on June 11, 2025. However, data from WordPress[.]org shows that fewer than half of the installations have updated to the latest version, meaning over 200,000 websites remain vulnerable.
Administrators are strongly urged to update the plugin to the latest version immediately. Plugins and themes are common entry points for attackers in WordPress ecosystems, and outdated components like this one continue to be a major target for website takeovers via vulnerability exploitation.
