Post SMTP Plugin Flaw Allowed Subscribers to Take Over Admin Accounts

If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something important you should know. A critical vulnerability is affecting versions 3.2.0 and earlier allowed even the lowest-level users, like Subscribers, to access sensitive data and actions they were never supposed to see or perform.

This issue came down to how the plugin handled user permissions in its REST API. The plugin checked only if a user was logged in, but didn’t ask whether that user had the proper role or capabilities to access certain features. This meant that anyone with a basic account could view email logs, resend messages and even access full email content, including password reset messages.

That last part is where things get dangerous. By viewing those password reset emails, a Subscriber-level user could reset the password of an Admin account. From there, they’d have full control over the site. This kind of account takeover risk is about as bad as it gets for any site relying on WordPress.

According to Patch Stack’s report, the fix arrived in version 3.3.0, where the plugin’s developers updated the get_logs_permission function. Instead of just checking whether a user is logged in, it now confirms whether they have the manage_options capability, which typically belongs only to Admins. That change closed the door on the broken access controls and stopped the account takeover threat.

The vulnerability, now tracked as CVE-2025-24000, was originally reported by Denver Jackson through Patchstack’s Zero Day program. The responsible disclosure was made on May 23, 2025, and by June 11, the patched version of Post SMTP was publicly released.

If you’re using this plugin and haven’t updated yet, make sure you’re running version 3.3.0 or higher. Any site with open registration, whether for comments, eCommerce or memberships, is especially at risk if this vulnerability remains unpatched. It’s one of those cases where a small oversight in permissions logic opened up access to highly sensitive data that should never be visible to most users.