Greater than 200,000 WordPress web sites are utilizing a weak model of the Publish SMTP plugin that permits hackers to take management of the administrator account.
Publish SMTP is a well-liked e mail supply plugin for WordPress that counts greater than 400,000 energetic installations. It’s marketed as a alternative of the default ‘wp_mail()’ operate that’s extra dependable and feature-rich.
On Could 23, a safety researcher reported the vulnerability to WordPress safety agency PatchStack. The flaw is now recognized as CVE-2025-24000 and acquired a medium severity rating of 8.8.
The safety subject impacts all variations of Publish SMTP as much as 3.2.0 and is because of a damaged entry management mechanism within the plugin’s REST API endpoints, which solely verified if a consumer was logged in, with out checking their permission degree.
Which means that low-privileged customers, akin to Subscribers, may entry e mail logs containing full e mail content material.
On weak websites, a subscriber may provoke a password reset for an Administrator account, intercept the reset e mail by way of the logs, and achieve management of the account.
Supply: PatchStack
The plugin’s developer, Saad Iqbal, was knowledgeable concerning the flaw and responded with a repair for Patchstack to evaluate on Could 26.
The answer was to include extra privilege checks within the ‘get_logs_permission’ operate that might validate a consumer’s permissions earlier than giving entry to delicate API calls.
The repair was integrated into Publish SMTP model 3.3.0, which was revealed on June 11.
Obtain statistics on WordPress.org present that lower than half of the plugin’s consumer base (48.5%) has up to date to model 3.3. Which means that greater than 200,000 web sites are weak to CVE-2025-24000.
A notable 24.2%, comparable to 96,800 websites, nonetheless run Publish SMTP variations from the two.x department, which is weak to extra safety flaws, leaving them open to assaults.
Include rising threats in actual time – earlier than they affect your small business.
Find out how cloud detection and response (CDR) provides safety groups the sting they want on this sensible, no-nonsense information.
