400,000 WordPress Sites at Risk: CVE-2025-24000 in Post SMTP Plugin Allows Full Site Takeover

A vulnerability in the popular Post SMTP WordPress plugin—installed on over 400,000 websites—has been disclosed by Patchstack, exposing sites to full account takeover attacks via broken access control in the plugin’s REST API. The flaw, tracked as CVE-2025-24000 and rated CVSS 8.8, has been patched in version 3.3.0.

“In versions 3.2.0 and below, the plugin is vulnerable to multiple Broken Access Control vulnerabilities in its REST API endpoints,” Patchstack reported.

Developed by Saad Iqbal of WPExperts, Post SMTP is a widely-used plugin that streamlines email delivery through WordPress with features like custom mailer services, email logging, DNS validation, and OAuth support.

The root of the problem lies in the plugin’s get_logs_permission function, which was responsible for validating access to the plugin’s REST API. Unfortunately, the function only checked if a user was logged in—ignoring whether that user had the appropriate privileges.

“These endpoints were, in the vulnerable versions, only validating that a user was logged in, not that they had the correct privileges to perform the actions,” the advisory explained.

This means that even a basic Subscriber-level user could interact with critical API functions like:

• Viewing full email logs—including message bodies
• Resending previously sent emails
• Viewing email count statistics

Perhaps the most dangerous consequence of the vulnerability is that it allows a low-privileged user to intercept password reset emails, giving them a straightforward path to hijack an administrator’s account.

“Using this information, a low-privileged user is able to takeover an Administrator-level account, leading to a full site takeover,” the advisory states

This scenario represents a textbook privilege escalation attack, where an attacker climbs the ladder from a harmless account to full administrative control—all within WordPress.

The vulnerability has been patched in version 3.3.0, which includes improved access control mechanisms to restrict REST API usage appropriately.

All site administrators using the Post SMTP plugin are strongly urged to upgrade to version 3.3.0 or later immediately to prevent exploitation.

Related Posts:

• SMTP Smuggling: The New Frontier in Email Spoofing
• Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• Critical Vulnerability CVE-2023-6875 Exposes Over 300,000 WordPress Sites to Site Takeover
• Microsoft Boosts Email Security with General Availability of Inbound SMTP DANE with DNSSEC