CVE-2025-24000: 
WordPress vulnerability analysis and mitigation

The Post SMTP WordPress plugin, installed on over 400,000 websites, contains a critical authentication bypass vulnerability tracked as CVE-2025-24000. The vulnerability affects versions 3.2.0 and below, and has been assigned a CVSS score of 8.8 (High). The issue was discovered in May 2025 and has been patched in version 3.3.0 (Patchstack, Security Online).

The vulnerability stems from broken access control in the plugin's REST API endpoints. The root cause lies in the getlogspermission function, which only validates if a user is logged in without checking for appropriate privileges. This implementation flaw exists in the plugin's permission validation mechanism, where the function simply returns isuserlogged_in() without any additional privilege checks (Patchstack).

The vulnerability allows any authenticated user, including those with basic Subscriber-level access, to perform privileged actions such as viewing email count statistics, resending emails, and accessing detailed email logs including entire email bodies. Most critically, this access enables interception of password reset emails, potentially leading to administrator account takeover and full site compromise (Patchstack, Security Online).

Site administrators using the Post SMTP plugin should immediately upgrade to version 3.3.0 or later, which includes improved access control mechanisms that properly restrict REST API usage. The patch implements additional privilege checks in the getlogspermission function to ensure only users with manage_options capability (typically Administrator-level users) can access these API endpoints (Patchstack).