Critical vulnerability in Post SMTP plugin risks full site takeover, over 400k sites use it, and nearly half remain unpatched.A critical vulnerability, tracked as CVE-2025-24000 (CVSS of 8.8) in the Post SMTP WordPress plugin, used by 400k sites, allows full site takeover. The plugin Post SMTP is an email delivery plugin that allows site owners to configure custom mailer services, and includes tooling such as email logging, DNS validation, and OAuth support to make email sending through WordPress easier. Saad Iqbal of WPExperts designed the plugin.The flaw impacts plugin version ≤v3.2.0 allows Subscriber+ users to access REST API endpoints without proper privilege checks. An attacker can exploit this vulnerability to view email logs and intercept password reset emails, leading to full admin account takeover and site compromise. “The ability to access this detailed information allows a Subscriber-level user to intercept any email sent by the WordPress website, including password reset emails to any user. Using this information, a low-privileged user is able to takeover an Administrator-level account, leading to a full site takeover.” reads the report published by Patchstack.“The underlying vulnerability exists in the get_logs_permission function:”The issue has been fixed in v3.3.0, users are urged to update immediately. At the time of this writing, about 51% of the websites using this plugin have a vulnerable version.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, WordPress plugin)