Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations - SecurityWeek

The popular Post SMTP WordPress plugin, used by over 400,000 websites for email delivery, contains a critical vulnerability (CVE-2025-24000) that allows any registered user to gain full website control. The broken access control flaw enables attackers to access email logs containing password reset emails, allowing them to reset administrator passwords and compromise entire websites. Although developers patched the vulnerability in version 3.3 on June 11, data shows less than half of the 400,000+ active installations have updated, leaving over 200,000 websites potentially vulnerable to exploitation.​​​​​​​​​​​​​​​​