One-Click Root: Bug in Popular Plugin Turns Subscribers into Admins
Just a few lines of code put half a million websites at risk.
Just a few lines of code put half a million websites at risk.
Over 200,000 WordPress websites remain vulnerable due to a critical flaw in the popular Post SMTP plugin, which allows attackers to gain full control over an administrator account. The vulnerability, assigned CVE-2025-24000, affects all plugin versions up to and including 3.2.0. At the time of publication, fewer than half of all installations using the component had applied the fix.
Post SMTP is a plugin designed to ensure reliable email delivery from WordPress sites, replacing the default wp_mail() function. With over 400,000 installations, it's one of the most widely used plugins in its category. However, in May 2025, security researchers from PatchStack received a report highlighting a flaw in the plugin’s REST API: it lacked proper access control logic. Instead of verifying user roles or capabilities, the system only checked whether a user was logged in — allowing even low-privilege users like subscribers to access protected resources.
Specifically, a subscriber could trigger an administrator password reset and intercept the reset email via exposed email logs, which had no proper access restrictions. This opened a clear path to seizing control of the admin panel without exploiting any external vulnerabilities or requiring physical access to the server.
The issue was reported to the plugin's developer, Saad Iqbal, on May 23. Within three days, he released an updated version of the get_logs_permission function, implementing proper user permission checks before granting access to the API. The patched version, 3.3.0, was officially published on June 11.
Despite the availability of the fix, statistics from WordPress.org reveal a troubling reality: over 51% of websites are still running vulnerable versions. The situation is especially dangerous for users on the 2.x branch, where an estimated 96,800 sites remain exposed — not only to CVE-2025-24000, but also to several other known security flaws.
This incident highlights a systemic weakness in the WordPress ecosystem: even critical security updates are not applied promptly. Given the ease of exploitation and the plugin’s widespread usage, continued and increasingly large-scale attacks on unpatched sites are expected.
