{"id":12452,"date":"2025-07-27T18:12:33","date_gmt":"2025-07-27T18:12:33","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks\/"},"modified":"2025-07-27T18:12:33","modified_gmt":"2025-07-27T18:12:33","slug":"post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks\/","title":{"rendered":"Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks"},"content":{"rendered":"<p>WordPress <\/p>\n<div>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"Wordpress Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks\" height=\"897\" src=\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2023\/12\/07\/back.jpg\" width=\"1600\"><\/p>\n<p>More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.<\/p>\n<p>Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It\u2019s marketed as a replacement of the default \u2018<em>wp_mail()<\/em>\u2019 function that is more reliable and feature-rich.<\/p>\n<p>On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as\u00a0CVE-2025-24000 and received a medium severity score of 8.8.<\/p>\n<p>The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin\u2019s REST API endpoints, which only verified if a user was logged in, without checking their permission level.<\/p>\n<p>This means that low-privileged users, such as Subscribers, could access email logs containing full email content.<\/p>\n<p>On vulnerable sites, a subscriber could initiate a password reset for an Administrator account, intercept the reset email via the logs, and gain control of the account.<\/p>\n<div>\n<figure><img loading=\"lazy\" decoding=\"async\" alt=\"Wordpress The vulnerable code\" height=\"600\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2025\/July\/vuln.jpg\" width=\"564\"><figcaption><strong>The vulnerable code<\/strong><br \/><em>Source: PatchStack<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The plugin\u2019s developer, Saad Iqbal, was informed about the flaw and responded with a fix for Patchstack to review on May 26.<\/p>\n<p>The solution was to incorporate additional privilege checks in the \u2018get_logs_permission\u2019 function that would validate a user\u2019s permissions before giving access to sensitive API calls.<\/p>\n<p>The fix was incorporated into Post SMTP version 3.3.0, which was published on June 11.<\/p>\n<p>Download statistics on\u00a0WordPress.org\u00a0show that less than half of the plugin&#8217;s user base (48.5%) has updated to version 3.3.\u00a0This means that more than 200,000 websites are vulnerable to CVE-2025-24000.<\/p>\n<p>A notable 24.2%, corresponding to 96,800 sites, still run Post SMTP versions from the 2.x branch, which is vulnerable to additional security flaws, leaving them open to attacks.<\/p>\n<div>\n<p>\n            <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/wiz\/CISO-Board-Report.jpg\" alt=\"Wordpress Wiz\"><\/p>\n<div>\n<h2>WordPress The Board Report Deck CISOs Actually Use<\/h2>\n<p>CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value.<\/p>\n<p>This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.<\/p>\n<\/p><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>WordPress More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to<\/p>\n","protected":false},"author":7282,"featured_media":12453,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12452"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12452\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12453"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}