A critical vulnerability in the Post SMTP Mailer plugin has exposed more than 400,000 WordPress websites to potential security breaches. The flaw, identified as an account takeover vulnerability, affects versions prior to 3.2.0 of the plugin, which is widely used for managing email delivery via SMTP on WordPress sites.
The vulnerability was reported by Patchstack, a cybersecurity platform specializing in WordPress security. According to the advisory, the flaw allowed unauthenticated users to gain access to the plugin’s email logs and potentially sensitive configuration data. In some cases, it could even lead to unauthorized administrative access to the affected websites.
The issue stems from insufficient access control and nonce validation mechanisms in the plugin’s REST API endpoints. By exploiting these weaknesses, an attacker could interact with plugin features that should only be available to logged-in users, including viewing and modifying email logs and settings.
The developer of the Post SMTP plugin, Yehuda Hassine, has released version 2.8.8, which includes a patch to address the reported vulnerability. The update strengthens nonce validation and access control to restrict unauthorized interactions with sensitive features.
The vulnerability was disclosed responsibly to the developer and promptly addressed. However, the scale of installations—over 400,000 active sites—means that many websites may still be running outdated versions.
WordPress site administrators using the Post SMTP Mailer plugin are strongly advised to update to the latest version 3.3.0 or later to secure their sites against potential exploitation. Additionally, reviewing email log permissions and API settings is recommended as a precautionary measure.
