200,000 WordPress websites at risk of being hijacked due to vulnerable Post SMTP plugin

Over 200,000 websites running a vulnerable version of a popular WordPress plugin could be at risk of being hijacked by hackers.

The Post SMTP plugin is an add-on used by approximately 400,000 WordPress-powered websites to improve the reliability and security of their email delivery. The plugin has proven popular in part because of its marketing that presents it as a more reliable and full-featured replacement to the default email functionality built into WordPress.

According to a report by Patchstack, an ethical hacker responsibly disclosed a serious vulnerability in the Post SMTP plugin.

The flaw allowed website users who should only have low privileges, such as Subscribers, to intercept any email sent by the WordPress website, including password reset emails to any user. Using this information, a low-privileged user would be able to seize control of an Administrator-level account, leading to a full site takeover.

Saad Iqbal of WPExperts, the developer of the plugin, took the report seriously and provided a potential patch within three days which was confirmed to resolve the vulnerability - which had been given the name CVE-2025-24000.

On June 11, Iqbal released version 3.3.0 of the Post SMTP plugin, which included the patch for the flaw.

You might think this is a happy end to the story - but it's not.

You see, the problem is that according to WordPress.org, only 49.1% of the plugin's 400,000+ active installations have updated themselves to the fixed version 3.3.0.

As Bleeping Computer reports, a worrying 24.2% of sites (almost 100,000) are still running Post SMTP version 2.x..x - which leaves them open to even more known vulnerabilities and security flaws.

So, what can you do?

Well, first things first. If you administer a WordPress website, update its plugins.

Any out-of-date plugins can be updated by visiting your wp-admin dashboard inside WordPress. You can even, if you are comfortable, set WordPress plugins to automatically update when new versions become available.

Furthermore, ask yourself what you are doing to harden your website and WordPress installation? For instance, are you restricting access to your website’s admin interface to specific IP addresses? Do you have multi-factor authentication in place? Have you checked out what plugins and themes you have installed on your website, and removed any that are no longer required?

Patching is obviously sensible and should be undertaken at the earliest opportunity, but never forget that additional layers of protection can go beyond patches – and perhaps be more proactive in defending your systems from attack.