400,000 WordPress Websites Exposed by Post SMTP Plugin Vulnerability
gbhackersA critical security vulnerability has been discovered in the popular Post SMTP plugin for WordPress, potentially exposing over 400,000 websites to account takeover attacks.
The vulnerability, tracked as CVE-2025-24000, affects versions 3.2.0 and below of the plugin, allowing even low-privileged users to access sensitive email data and ultimately gain administrative control of affected websites as per a report by Patchstack.
Vulnerability Details and Impact
The Post SMTP plugin, developed by Saad Iqbal of WPExperts, serves as an email delivery solution that enables site owners to configure custom mailer services with features including email logging, DNS validation, and OAuth support.
However, a fundamental flaw in the plugin’s access control mechanism has created a significant security risk for its substantial user base.
| Field | Details |
| CVE ID | CVE-2025-24000 |
| Vulnerability Type | Broken Access Control / Account Takeover |
| CVSS Score | Not yet assigned |
| Severity | Critical |
| Affected Software | Post SMTP WordPress Plugin |
| Affected ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE