Post SMTP Plugin Flaw Allowed Subscribers to Take Over Admin Accounts

If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something important you should know. A critical vulnerability is affecting versions 3.2.0 and earlier allowed even the lowest-level users, like Subscribers, to access sensitive data and actions they were never supposed to see or perform.

This issue came down to how the plugin handled user permissions in its REST API. The plugin checked only if a user was logged in, but didn’t ask whether that user had the proper role or capabilities to access certain features. This meant that anyone with a basic account could view email logs, resend messages and even access full email content, including password reset messages.

That last part is where things get dangerous. By viewing those password reset emails, a Subscriber-level user could reset the password of an Admin account. From there, they ...