Subj : Dangerous WordPress plugin puts over 160,000 sites at risk - here To : All From : TechnologyDaily Date : Mon Jul 28 2025 14:15:09 Dangerous WordPress plugin puts over 160,000 sites at risk - here's what we know Date: Mon, 28 Jul 2025 13:05:00 +0000 Description: A popular WordPress plugin allowed crooks to reset admin accounts and take over a website. FULL STORY ======================================================================Older versions of Post SMTP allowed hackers to read all emails They could also reset the admin password and read the notification email, gaining access to the account More than 160,000 WordPress sites are running the vulnerable version A popular WordPress plugin with hundreds of thousands of active installations carried a vulnerability that allowed threat actors to take over compromised websites, experts have warned. The plugin is called Post SMTP, a tool that replaces WordPresss default email function with an authenticated SMTP method, and currently counts more than 400,000 active installations. Security researchers PatchStack warned an access control mechanism in the plugins REST API endpoint was broken, only verifying if a user was logged in, and not checking whether they had permissions to do certain actions, or not. As a result, low-privileged users were allowed access to email logs with full email contents, meaning they were allowed to initiate a password reset for the admin account, view that email, and then log in as the admin, essentially taking over the site. Patching the bug The bug was first spotted on May 23, and by May 26, it was already assigned a CVE and a severity score - being tracked as CVE-2025-24000, with a medium severity score of 8.8/10. Looking at the download statistics on WordPress.org , 59.8% of all Post SMTP installations are running versions 3.1 and newer, meaning 40.2% of sites are still vulnerable. Since the plugin has more than 400,000 active installations, it means around 160,000 websites can still be taken over using this method. WordPress is the most popular website builder in the world, powering more than half of all sites on the internet and as such, is a popular target for cybercriminals. However, since WordPress is generally considered a secure platform, crooks are focused on plugins and themes which dont have the same level of security or support. That is why most cybersecurity professionals recommend only keeping the plugins and themes that are in use, and always making sure they are up to date. This issue was fixed in version 3.3.0, published on June 11, 2025, so users should update as soon as possible to ensure they stay protected. Via BleepingComputer You might also like Another top WordPress plugin hacked to allow account takeover - stay safe with these tips Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/dangerous-wordpress-plugin-puts-over-16 0-000-sites-at-risk-heres-what-we-know --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .