400,000 WordPress Sites at Risk: Critical Plugin Flaw Exposed

Vijay Shekhawat
Vijay Shekhawat

Software Architect

 
July 28, 2025 3 min read

A serious vulnerability, known as CVE-2025-24000, has been identified in the Post SMTP WordPress plugin, which is utilized by over 400,000 websites. This vulnerability allows low-privileged users to take control of administrator accounts due to broken access controls in the plugin’s REST API. The flaw, rated with a CVSS score of 8.8, has been addressed in version 3.3.0 of the plugin.

WordPress Vulnerability, Post SMTP

Image courtesy of Patchstack

Patchstack reported that the vulnerability stems from the plugin’s get_logs_permission function, which inadequately verifies user privileges. This oversight permits even basic users to perform critical actions such as:

  • Viewing full email logs, including message bodies
  • Resending previously sent emails
  • Viewing email count statistics

The most critical risk is the potential for low-privileged users to intercept password reset emails, leading to an administrative account takeover. Administrators must upgrade to version 3.3.0 or later promptly to mitigate this risk. For further details, see Patchstack.

Vulnerabilities in POST SMTP Mailer Plugin

Security researchers have uncovered two significant vulnerabilities in the POST SMTP Mailer plugin, which is used by over 300,000 websites. The first flaw enables attackers to reset the authentication API key and access sensitive logs, including password reset emails. This allows a malicious actor to gain unauthorized access and potentially publish harmful content or lock out legitimate users.

The second vulnerability allows script injection into web pages. Researchers notified the plugin developers on December 8, 2023, and they released a patch on January 1, 2024. However, approximately 150,000 sites remain at risk as only 53% of installations have updated. To check plugin statistics, visit the WordPress documentation.

Orbit Fox Plugin Vulnerabilities

The Orbit Fox plugin has two critical vulnerabilities that could lead to site takeovers. The first is a privilege escalation flaw, rated 9.9 on the CVSS scale. It allows authenticated users with lower-level access to elevate their privileges to administrator status. The second vulnerability involves an authenticated stored XSS issue, permitting attackers to inject malicious JavaScript into posts.

Orbit Fox WordPress Bug

Image courtesy of Threatpost

The privilege escalation flaw is associated with the registration widget, which enables site administrators to set user roles. Developers need to enable server-side protections to prevent unauthorized role changes. The XSS vulnerability allows lower-level users to execute harmful scripts that could redirect visitors or create new administrative accounts.

Both vulnerabilities were patched in version 2.10.3, and sites running versions 2.10.2 and below should update as soon as possible. For further reading, visit Wordfence.

Importance of Regular Updates

Maintaining regular updates for plugins is crucial for website security. Vulnerabilities in WordPress plugins can lead to severe consequences, including full site takeovers. It is imperative for site administrators to check for updates frequently and ensure that they are utilizing the latest versions to protect against potential exploits.

For organizations looking to enhance their cybersecurity marketing, GrackerAI offers tools such as faster CVE databases, breach trackers for lead generation, and interactive tools optimized for SEO. Take advantage of GrackerAI's services today by visiting GrackerAI to start your free trial.

Vijay Shekhawat
Vijay Shekhawat

Software Architect

 

Principal architect behind GrackerAI's self-updating portal infrastructure that scales from 5K to 150K+ monthly visitors. Designs systems that automatically optimize for both traditional search engines and AI answer engines.

Related Articles

Adapting to 2025: Key Consumer Trends for Brand Success

The backtoschool shopping season is changing with consumers starting their shopping earlier than in previous years Research indicates that 51 of backtoschool shoppers are moving their purchases earlier due to concerns about price increases related to tariffs Many are leveraging events like Amazon Prime Day and Target Circle Week to secure items before potential price hikes occur This shift allows consumers to compare prices and wait for sales with 72 anticipating higher prices during their shopping Marketers need to create strategies that cater to both early and lastminute shoppers ensuring they remain topofmind throughout the season

By Pratham Panchariya August 20, 2025 3 min read
Read full article

AnyMind Group Launches AnyAI Platform and Releases Q4 Earnings

AnyMind Group has secured six awards at the DATAMATIXX 2025 Summit showcasing its leadership in datadriven marketing The awards recognized achievements in creativity crosschannel data integration mobile marketing and influencer marketing all executed through AnyMinds proprietary platforms

By Nikita shekhawat August 20, 2025 3 min read
Read full article

Global Live Streaming Market Analysis and Forecast to 2028

The live streaming market is poised for significant growth with a projected increase from approximately USD 90 billion in 2024 to around USD 350 billion by 2033 reflecting a CAGR of 14 from 2025 to 2033 This expansion is driven by the rising demand for live video content across various sectors including entertainment sports ecommerce and education Technological advancements particularly in 5G and AI have greatly improved the quality and accessibility of live streaming platforms

By Deepak Gupta August 14, 2025 2 min read
Read full article

AI in Marketing: Realities, Relationships, and Email Confessions

In the realm of marketing the integration of AI tools has transformed workflows and creative processes A marketing strategist articulates the complexities of this relationship I have an intimate complicated relationship with AI like a coworker I both rely on and dont fully trust The reliance on AI ranges from enhancing marketing strategies to cocreating campaigns reflecting a shift in how creativity is perceived

By Diksha Poonia August 14, 2025 3 min read
Read full article