WordPress Post SMTP Plugin Vulnerability Exposes Websites to Attack

A critical vulnerability has been discovered in the WordPress Post SMTP plugin, which is widely used to configure email sending on WordPress websites. This security flaw allows attackers to exploit the plugin and potentially gain unauthorized access to websites, leading to data breaches and site defacement. The vulnerability stems from improper validation of user inputs, enabling remote code execution or privilege escalation. Website administrators are urged to update the plugin to the latest version immediately to mitigate risks. This incident highlights the importance of regularly updating WordPress plugins and maintaining robust security practices to protect websites from emerging threats. Cybersecurity experts recommend monitoring plugin updates and applying patches promptly to prevent exploitation by threat actors.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 05 Nov 2025 05:05:10 +0000

Cyber News related to WordPress Post SMTP Plugin Vulnerability Exposes Websites to Attack

Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin - On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability ...
1 year ago Wordfence.com

CVE-2023-2813 - All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before ...
2 years ago

Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks - The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin’s REST API endpoints, which only verified if a user was logged in, without checking their permission level. More than ...
4 months ago Bleepingcomputer.com CVE-2025-24000

SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols - A new attack technique named SMTP Smuggling can allow malicious actors to send out spoofed emails that bypass authentication mechanisms. SMTP Smuggling was discovered by Timo Longin, a researcher known for DNS attacks, in collaboration with SEC ...
1 year ago Securityweek.com

WordPress Request Architecture and Hooks - Before diving into the security features of WordPress, it's critical to understand the underlying request architecture. WordPress is a dynamic system that processes and responds to user requests in various ways, depending on the nature of the request ...
1 year ago Wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) - Software Name Software Slug 012 Ps Multi Languages 012-ps-multi-languages ABC APP CREATOR abcapp-creator Absolute Reviews absolute-reviews Accordion accordions Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded Advanced File ...
1 year ago Wordfence.com Slug

WordPress Post SMTP Plugin Vulnerability Exposes Websites to Attack - A critical vulnerability has been discovered in the WordPress Post SMTP plugin, which is widely used to configure email sending on WordPress websites. This security flaw allows attackers to exploit the plugin and potentially gain unauthorized access ...
4 weeks ago Cybersecuritynews.com CVE-2024-12345

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com

Many popular websites still cling to password creation policies from 1985 - A significant number of popular websites still allow users to choose weak or even single-character passwords, researchers at Georgia Institute of Technology have found. The researchers used an automated account creation method to assess over 20,000 ...
1 year ago Helpnetsecurity.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com

CVE-2021-24752 - Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top ...
3 years ago

CVE-2021-24219 - The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before ...
3 years ago

Over 150k WordPress sites at takeover risk via vulnerable plugin - Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. Last month, Wordfence security researchers Ulysses Saicha and ...
1 year ago Bleepingcomputer.com CVE-2023-7027

Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
1 year ago Aws.amazon.com

50K WordPress sites exposed to RCE attacks by critical bug in backup plugin - A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites. Known as Backup Migration, the plugin helps admins automate site backups to ...
1 year ago Bleepingcomputer.com CVE-2023-6553 CVE-2023-45124 Hunters

Hackers exploit WordPress plugin Post SMTP to hijack admin accounts - A critical vulnerability in the popular WordPress plugin Post SMTP has been exploited by hackers to hijack administrator accounts, posing a significant security risk to websites using this plugin. The flaw allows attackers to escalate privileges and ...
4 weeks ago Bleepingcomputer.com CVE-2023-40562

Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting - On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting via Shortcode vulnerabilities in WordPress repository plugins. We found over 100 vulnerabilities across 100 plugins which affect ...
1 year ago Wordfence.com

Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence - In just a few short months since our launch in November of last year, the Wordfence Bug Bounty Program has already awarded over $153,000 in bounties to WordPress security researchers who have been responsibly reporting security issues in WordPress ...
1 year ago Wordfence.com

New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
1 year ago Bleepingcomputer.com CVE-2023-6000

Government Quash All Post Office Horizon Convictions - It comes after the government in July 2021 had promised to compensate those postmasters who had their Horizon-related convictions overturned. The Government said this week it has committed to making sure these convictions are overturned by the end of ...
1 year ago Silicon.co.uk

WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks - The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site's database. WP Fastest Cache is a caching plugin used to speed up page loads, improve ...
2 years ago Bleepingcomputer.com CVE-2023-6063

WordPress Security Research: A Beginner's Series - Over the coming months, this series will be presented through multiple blog posts, each delving into the fundamentals of WordPress's architecture and security mechanisms while featuring real-world examples of vulnerabilities and their exploitation. ...
1 year ago Wordfence.com

CVE-2024-3073 - The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field ...
1 year ago