A vulnerability in a well-liked e-mail supply WordPress plugin is affected by a essential vulnerability that may be exploited to take full management of affected web sites.
The impacted plugin is Submit SMTP, which is actively used on greater than 400,000 WordPress web sites for sending emails.
A researcher found in Might that the plugin is affected by a severe damaged entry management difficulty permitting any registered person, together with subscribers, to achieve entry to delicate information. The safety gap is tracked as CVE-2025-24000.
In line with WordPress safety agency Patchstack, which coordinated the disclosure of the flaw, an attacker can exploit the vulnerability to view e-mail statistics, resend emails, and entry e-mail logs, which embrace the physique of the e-mail.
These e-mail logs can embrace password reset emails despatched to any person, together with directors, which permits the attacker to reset the password for such accounts and take full management of the focused web site.
Submit SMTP builders patched the vulnerability on June 11 with the discharge of model 3.3.
Information from Submit SMTP’s statistics web page on WordPress.org reveals that lower than half of the greater than 400,000 lively installations have been up to date to model 3.3, which signifies that greater than 200,000 web sites should be weak to assaults.
It’s vital that WordPress web site directors preserve their plugins updated as risk actors typically exploit plugin and theme vulnerabilities to hack websites. Commercial. Scroll to proceed studying.
Associated: Hackers Inject Malware Into Gravity Kinds WordPress Plugin
Associated: Forminator WordPress Plugin Vulnerability Exposes 400,000 Web sites to Takeover
Associated: Second OttoKit Vulnerability Exploited to Hack WordPress Websites
