Full Report
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. [...]
Analysis Summary
# Vulnerability: Post SMTP Plugin Broken Access Control Allows Site Hijacking
## CVE Details
- CVE ID: CVE-2025-24000 (Assumed based on context, as specific CVE mapping wasn't explicitly stated with a score, but this is the primary identifier discussed)
- CVSS Score: Not explicitly provided in the text. **(Severity is critical due to potential site takeover)**
- CWE: CWE-284 (Improper Access Control) or similar access control flaw.
## Affected Systems
- Products: WordPress Plugin 'Post SMTP'
- Versions: All versions up to and including **3.2.0**. (Note: Versions in the 2.x branch are also mentioned as vulnerable to additional flaws).
- Configurations: Any site using an affected version of the Post SMTP plugin.
## Vulnerability Description
The vulnerability is a broken access control flaw residing within the plugin's REST API endpoints. The affected code only verifies if a user is logged in, failing to check the user's permission level. This allows low-privileged users (such as Subscribers) to access sensitive API calls, specifically initiating an administrator password reset. By intercepting the password reset email via access to email logs (which may contain full email content), an attacker can hijack an administrator account and gain full control over the WordPress site.
## Exploitation
- Status: **Likely being actively exploited or high risk of exploitation** given the large number of vulnerable sites and the critical impact (site takeover).
- Complexity: **Low** (if an attacker already has a low-privilege account on the target site).
- Attack Vector: **Network** (via the REST API).
## Impact
- Confidentiality: **High** (Exposure of full email content, including password reset links).
- Integrity: **Critical** (Ability to take over administrator accounts).
- Availability: **High** (Potential for site downtime or malicious content injection following takeover).
## Remediation
### Patches
- **Post SMTP version 3.3.0** (Published June 11) contains the fix.
### Workarounds
- Immediate removal or deactivation of the Post SMTP plugin until mitigation can be applied.
- Restricting access to the REST API endpoints, if feasible, although this is complex for a standard WP install.
## Detection
- **Indicators of Compromise (IoC):** Unexpected administrator password resets, unrecognized changes to email logs, or suspicious activity originating from accounts with Subscriber roles.
- **Detection Methods and Tools:** Monitoring HTTP requests targeting the Post SMTP REST API endpoints for unauthorized attempts to access functions like `get_logs_permission` from unprivileged users. Plugin health checks for version tracking.
## References
- Vendor advisory/Patch release bulletin (Implied from the update to v3.3.0).
- WordPress.org plugin page (for version statistics and download): `wordpress.org/plugins/post-smtp/advanced/`