Post SMTP Plugin Vulnerability: How Hackers Are Taking Over WordPress Admin Accounts

Hello! If you have a WordPress site or assist someone with a site, you will want to read this information. Hackers exploited a major vulnerability in a popular plugin called Post SMTP — to steal admin accounts. Frightening, right?

What is Happening​

Post SMTP is activated on roughly 400,000 sites and helps WordPress send emails, such as contact form submissions or password resets.

Older versions of Post SMTP (3.2.0 or older) have an exploitable flaw that has been given a CVE number (CVE-2025-24000). The flaw is easily exploited and allows users, even those that only have a Subscriber account, to do bad things they should not have access to do. For example:

• They could read the email logs on the site
• They could trigger a password reset for the admin account
• They could steal the password reset link from the email logs
• And, they could login to the site as the Admin — taking full control and ownership of the site

Can you imagine doing that so easily? Any WordPress user would break out in a sweat!

Why it Matters​

Even if you give someone "basic" access to your site, this bug could easily allow them to become the admin in seconds.

I've had problems with plugins before - I forgot to update one, and my small site was inundated with spam bots overnight. Lesson learned: update early, update often.

Final Thoughts​

If your site is using the Post SMTP plugin update to the latest version right after you’re done reading this. This little plugin illustrates how easily a bug in a small plugin can open up the backdoor to hackers or locked you out of your own site.

It’s better to be safe than sorry — and trust me, it’s a lot easier to keep WordPress updated than fixing your site after it’s been hacked!