A severe vulnerability in the Post SMTP plugin for WordPress, used by over 400,000 websites, is exposing site owners to account takeover attacks. The flaw, tracked as CVE-2025-24000, affects version 3.2.0 and below and allows even low-privileged users to access sensitive email data—potentially leading to full administrative compromise.
🔍 Vulnerability Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-24000 |
| Type | Broken Access Control / Account Takeover |
| Severity | Critical |
| CVSS Score | Not yet assigned |
| Affected Plugin | Post SMTP by WPExperts |
| Affected Versions | 3.2.0 and earlier |
| Patched Version | 3.3.0 |
According to Patchstack, the vulnerability originates from improper access control in the plugin’s REST API. While the system checked if users were logged in, it failed to validate their privilege level. This flaw allowed even Subscriber-level users—normally limited to reading content—to execute administrative actions.
What Attackers Could Do
Exploiting the bug, attackers could:
View email logs, including full message bodies
Resend emails, such as password reset messages
Intercept admin communications
Hijack site admin accounts by exploiting password reset flows
The root of the issue lies in the plugin’s get_logs_permission function. It relied solely on is_user_logged_in() and did not verify whether a user had the manage_options capability, which is typically reserved for administrators.
This oversight bypassed WordPress’s native role and capability system, opening a path to unauthorized admin-level actions.
Patch Released: Update Immediately
The good news is that a fix has been released in Post SMTP version 3.3.0. The updated version includes:
Proper privilege checks in
get_logs_permissionREST route protections ensuring only authorized admin-level users can access email logs and other sensitive functions
Site owners should update immediately to protect their WordPress installations.
Recommended Actions
To mitigate the risk:
Update Post SMTP to version 3.3.0 or higher right away.
Review user accounts for suspicious roles or activity.
Check email logs and audit admin access for unusual behavior.
Consider enabling two-factor authentication (2FA) for all privileged accounts.
Final Thoughts
This incident is a stark reminder of how plugins with improper permission checks can lead to full site compromise. Website administrators should regularly update plugins and monitor access logs—especially for widely used tools like Post SMTP that handle sensitive operations like email delivery.