If you run a WordPress website, this is your wake-up call: A critical vulnerability has been discovered in the popular Post SMTP plugin—and it could give attackers full control of your site.
What’s the Issue?
Security researchers recently flagged a severe broken access control issue in Post SMTP, a plugin used for email delivery on more than 400,000 active WordPress installations. Tracked as CVE-2025-24000, this vulnerability allows any registered user—including basic subscribers—to access sensitive site data.
What Can Attackers Do?
According to Patchstack, the firm that helped disclose the flaw, the exploit gives attackers the ability to:
- View email stats and logs
- Resend previously sent emails
- Access email bodies, including admin password reset links
This effectively means an attacker can reset an administrator’s password and take full control of the entire website.
Has It Been Fixed?
Yes. The vulnerability was patched on June 11 with the release of Post SMTP version 3.3. However, update stats reveal a worrying trend—less than half of users have installed the patched version, leaving over 200,000+ websites exposed.
Why It Matters
WordPress powers over 40% of the web, and plugins are one of its greatest strengths—but also a major security risk. Vulnerabilities like this are often exploited by threat actors to deface sites, steal data, or distribute malware. The takeaway? Keeping plugins updated is not optional—it’s essential.
How to Stay Safe
- Update Post SMTP to the latest version immediately
- Audit all active plugins regularly
- Use security tools like Wordfence or Sucuri
- Restrict subscriber roles from accessing plugin data
Final Thought
It only takes one outdated plugin to compromise your entire website. Are your WordPress plugins up to date? Let us know what steps you’re taking to stay secure—or share this with someone who might need a reminder.
