Critical Post SMTP Plugin Flaw Exposes 200K+ WordPress Sites to Admin Hijacking
Update Now
The widely used Post SMTP Mailer plugin, active on over 400,000 WordPress sites, has been found to contain a critical security vulnerability (CVE‑2025‑24000) that could allow attackers to hijack admin accounts. Despite a fix being released, security researchers report that over 200,000 sites remain vulnerable.
This flaw is currently making waves across the WordPress community (BleepingComputer, SecurityAffairs). If your site uses Post SMTP, you must update immediately to avoid a potential full site takeover.
What’s the Issue?
The vulnerability affects all versions up to 3.2.0 of the Post SMTP plugin. According to reports, it stems from a broken access control issue in the plugin’s REST API.
What does it allow? Low-level user accounts (even those with only Subscriber roles) can access sensitive email logs.
Why is that dangerous? Attackers can intercept password reset links sent via email.
Result? They can reset the admin password and gain full control of the website.
Security researchers have rated the flaw as high severity (CVSS score 8.8) because it effectively bypasses permission checks and grants attackers a direct path to admin privileges.
How Many Sites Are at Risk?
The Post SMTP plugin is actively used by over 400,000 sites. Data shared by BleepingComputer shows that only 48.5% of users have updated to the patched version. That leaves more than 200,000 sites potentially open to exploitation.
If exploited, attackers can:
Inject malware or malicious redirects
Create rogue admin accounts
Modify or delete site content
Steal user data and credentials
What’s the Fix?
The developers released a patch in version 3.3.0 on June 11, 2025, introducing stricter permission checks.
If your site is running Post SMTP ≤ 3.2.0:
Update immediately to version 3.3.0 or higher.
Review your WordPress user accounts for unauthorized admins.
Reset all admin passwords if you suspect any suspicious activity.
Disable unused plugins and enforce least-privilege roles.
SecurityAffairs warns that the vulnerability could be exploited at scale given its simplicity, making prompt patching critical.
How to Protect Your Site Going Forward
Enable automatic plugin updates for security patches.
Use a Web Application Firewall (WAF) to block malicious requests.
Regularly audit user roles and email logs.
Consider a managed WordPress hosting service where vulnerabilities are proactively patched.
Final Word
This Post SMTP vulnerability is among the most severe WordPress plugin flaws disclosed in recent months. If you are one of the 200K+ site owners who have yet to update, take action now. Attackers could already be scanning for sites to exploit.
Hostgard can assist with WordPress security audits, patching, and ongoing monitoring. If you’re unsure whether your site is safe, contact us and we’ll verify your setup.
Don’t wait – update your Post SMTP plugin to version 3.3.0+ immediately.
Update Post SMTP Plugin Now – Critical Flaw Lets Hackers Take Over WordPress Sites
A serious security flaw (CVE‑2025‑24000) has been found in the Post SMTP Mailer plugin for WordPress. It allows even low-level users to access email logs and steal password reset links, which can lead to full site takeovers.
Affected: All versions up to 3.2.0
Patched: Version 3.3.0, released June 11, 2025
Risk: Over 200,000 sites are still vulnerable
What to do:
Update Post SMTP plugin to 3.3.0 or later now.
Check your WordPress user accounts for suspicious admins.
Reset admin passwords if needed.
More info: BleepingComputer
Need expert help securing your WordPress environment?
Get Started