Over 40,000 web sites working a weak model of a preferred WordPress plugin may very well be prone to being hijacked by hackers.
The Publish SMTP plugin is an add-on utilized by roughly 400,000 WordPress-powered web sites to enhance the reliability and safety of their electronic mail supply. The plugin has confirmed standard partially due to its advertising and marketing that presents it as a extra dependable and full-featured alternative to the default electronic mail performance constructed into WordPress.
In response to a report by Patchstack, an moral hacker responsibly disclosed a critical vulnerability within the Publish SMTP plugin.
The flaw allowed web site customers who ought to solely have low privileges, equivalent to Subscribers, to intercept any electronic mail despatched by the WordPress web site, together with password reset emails to any person. Utilizing this data, a low-privileged person would be capable of seize management of an Administrator-level account, resulting in a full website takeover.
Saad Iqbal of WPExperts, the developer of the plugin, took the report critically and offered a possible patch inside three days which was confirmed to resolve the vulnerability – which had been given the title CVE-2025-24000.
On June 11, Iqbal launched model 3.3.0 of the Publish SMTP plugin, which included the patch for the flaw.
You would possibly assume this can be a joyful finish to the story – but it surely’s not.
You see, the issue is that based on WordPress.org, over 10% of the plugin’s 400,000+ energetic customers are nonetheless working the weak model 3.1 (proven right here in purple).
As Bleeping Laptop stories, a worrying 24.2% of websites (virtually 100,000) are nonetheless working Publish SMTP model 2.x..x – which leaves them open to much more identified vulnerabilities and safety flaws.
So, what are you able to do?
Effectively, first issues first. For those who administer a WordPress web site, replace its plugins.
Any out-of-date plugins might be up to date by visiting your wp-admin dashboard inside WordPress. You possibly can even, in case you are comfy, set WordPress plugins to routinely replace when new variations change into accessible.
Moreover, ask your self what you’re doing to harden your web site and WordPress set up? As an illustration, are you limiting entry to your web site’s admin interface to particular IP addresses? Do you’ve gotten multi-factor authentication in place? Have you ever checked out what plugins and themes you’ve gotten put in in your web site, and eliminated any which might be not required?
Patching is clearly smart and ought to be undertaken on the earliest alternative, however always remember that further layers of safety can transcend patches – and maybe be extra proactive in defending your methods from assault.
