CVE-2025-24000 HIGH

CVE-2025-24000: WordPress Post SMTP plugin <= 3.2.0 - Account Takeover Vulnerability

Vendor Saad Iqbal
Product Post SMTP
Weakness CWE-288
Published August 7, 2025
Last update May 13, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

Post SMTP versions 3.2.0 and earlier contain an authentication bypass vulnerability. An attacker with low-level site access can read, modify, or delete sensitive data and configuration without proper authorization checks. The vulnerability affects the plugin's core functionality and requires only network access and valid user credentials to exploit.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive site data and plugin configuration with low-level user credentials.

Potential impact on your site

04Site Impact

Low-privilege users can access and alter email settings, SMTP credentials, and other protected plugin data.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

August 7, 2025 CVE published
May 13, 2026 Record updated