Dangerous WordPress plugin puts over 160,000 sites at risk - here's what we know

News
By published

A popular WordPress plugin allowed criminals to reset admin accounts

Person editing a WordPress site
Image credit: Pixabay (Image credit: Pixabay)
  • Older versions of Post SMTP allowed hackers to read all emails
  • They could also reset the admin password and read the notification email, gaining access to the account
  • More than 160,000 WordPress sites are running the vulnerable version

A popular WordPress plugin with hundreds of thousands of active installations carried a vulnerability that allowed threat actors to take over compromised websites, experts have warned.

The plugin is called Post SMTP, a tool that replaces WordPress’s default email function with an authenticated SMTP method, and currently counts more than 400,000 active installations.

Security researchers PatchStack warned an access control mechanism in the plugin’s REST API endpoint was broken, only verifying if a user was logged in, and not checking whether they had permissions to do certain actions, or not. As a result, low-privileged users were allowed access to email logs with full email contents, meaning they were allowed to initiate a password reset for the admin account, view that email, and then log in as the admin, essentially taking over the site.

Patching the bug

The bug was first spotted on May 23, and by May 26, it was already assigned a CVE and a severity score - being tracked as CVE-2025-24000, with a medium severity score of 8.8/10.

Looking at the download statistics on WordPress.org, 59.8% of all Post SMTP installations are running versions 3.1 and newer, meaning 40.2% of sites are still vulnerable.

Since the plugin has more than 400,000 active installations, it means around 160,000 websites can still be taken over using this method.

WordPress is the most popular website builder in the world, powering more than half of all sites on the internet and as such, is a popular target for cybercriminals.

However, since WordPress is generally considered a secure platform, crooks are focused on plugins and themes which don’t have the same level of security or support.

That is why most cybersecurity professionals recommend only keeping the plugins and themes that are in use, and always making sure they are up to date.

This issue was fixed in version 3.3.0, published on June 11, 2025, so users should update as soon as possible to ensure they stay protected.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.