A serious security flaw has been found in the popular Post SMTP plugin, putting over 200,000 WordPress websites at risk of being hijacked by attackers.
Post SMTP is used for sending emails from WordPress websites and has over 400,000 active installations. It is seen as a better alternative to the default wp_mail() function because it is more reliable and feature-rich.
The security issue was discovered by a researcher and reported to PatchStack on May 23. The flaw has been identified as CVE-2025-24000 and is rated with a high severity score of 8.8.
This flaw affects all versions of the plugin up to 3.2.0. It is caused by a broken access control in the plugin’s REST API. The plugin was checking if a user was logged in but did not check what kind of user they were.
Because of this, even users with the lowest access level (like Subscribers) could view the full email logs on a site.
If a site is using a vulnerable version of the plugin, a simple subscriber account could be used to trigger a password reset for an Administrator, access the email logs to see the reset email, and use that link to reset the admin password and gain full control of the site
The plugin’s developer, Saad Iqbal, was informed about the issue and quickly worked on a fix. A patch was created and reviewed by PatchStack on May 26. The fix added proper permission checks to make sure only authorized users can access sensitive API features like email logs. This fix was included in version 3.3.0, which was released on June 11.
Even though the fix is available, less than half of the plugin’s users have updated to the safe version. Around 48.5% have upgraded, but that still leaves over 200,000 sites using older, vulnerable versions. Worse, around 96,800 sites are still using version 2.x of the plugin, which has even more security issues.
If you are using the Post SMTP plugin, check your version immediately. Update to version 3.3.0 or later to protect your site from this vulnerability. Also, review your user roles and email log access settings to make sure sensitive data is secure.
