Introduction
A significant vulnerability has been identified in the Post SMTP plugin, impacting over 200,000 WordPress sites. This flaw allows attackers to potentially hijack administrator accounts through a broken access control mechanism.
Key Details
- Who: The affected plugin is Post SMTP, developed by Saad Iqbal, with over 400,000 active installations.
- What: The vulnerability, designated CVE-2025-24000, allows low-privileged users to access sensitive email logs and execute password resets for administrator accounts.
- When: The flaw was reported on May 23 and a patch was made available on June 11, when version 3.3.0 was released.
- Where: This issue pertains to WordPress sites globally utilizing the Post SMTP plugin.
- Why: A lack of permission checks in the plugin’s REST API endpoints enables unauthorized access to sensitive functionalities.
- How: The flaw permits a subscriber-level user to reset admin passwords by intercepting reset emails within logs, effectively taking control of admin accounts.
Why It Matters
The implications of this vulnerability extend to various aspects of IT infrastructure:
- Enterprise Security: Organizations using the plugin are at heightened risk of account hijacking, jeopardizing sensitive data.
- Compliance: Furthermore, the breach could lead to non-compliance with data protection regulations such as GDPR.
- Operational Impact: Vulnerabilities like this can disrupt normal operations, leading to costly downtime and remediation efforts.
Takeaway for IT Teams
IT professionals must ensure that all instances of the Post SMTP plugin are updated to version 3.3.0 or later. Routine audits of plugins and monitoring for vulnerabilities can further safeguard against similar future threats.
For more curated news and infrastructure insights, visit TrendInfra.com.
