Cyber Security News

Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks

BleepingComputer
Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks

Over 200,000 WordPress sites remain vulnerable to a security flaw in the Post SMTP plugin, potentially allowing hackers to hijack administrator accounts. The vulnerability, CVE-2025-24000, stems from broken access controls and was fixed in version 3.3.0, but many sites have not yet updated. #PostSMTP #CVE-2025-24000

Keypoints

  • The Post SMTP plugin is used by over 400,000 WordPress websites for email delivery.
  • The vulnerability allows low-privilege users to access sensitive email logs and potentially hijack admin accounts.
  • The security flaw was reported on May 23 and fixed in version 3.3.0 released on June 11.
  • Less than half of the plugin users have updated to the patched version, leaving many sites exposed.
  • Over 96,800 sites still run the outdated 2.x versions, increasing their risk of attack.

Read More: https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/