{"id":5674,"date":"2025-11-05T20:53:42","date_gmt":"2025-11-05T20:53:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5674"},"modified":"2025-11-05T20:53:42","modified_gmt":"2025-11-05T20:53:42","slug":"wordpress-plugin-hole-enables-account-takeover","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5674","title":{"rendered":"WordPress plugin hole enables account takeover"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The disclosure of a major security hole within a popular WordPress email plugin is a reminder to CISOs about the risks posed by relatively unsupervised plugins.\u00a0<\/p>\n

The hole impacts Post SMTP<\/a>, a WordPress plugin boasting more than 400,000 active installations, with more being activated every day.\u00a0<\/p>\n

The hole, which has now been patched, allows \u201can unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website,\u201d according to a post from WordPress security vendor Wordfence<\/a>. It urges users to install the patched version immediately.<\/p>\n

Neither Wordfence nor WordPress responded to CSO Online\u2019s requests for comment.<\/p>\n

Wordfence\u2019s post said that they have already detected attacks in the wild leveraging the hole. \u201cOur data indicates that attackers have already started targeting this vulnerability as early as November 1, 2025, with over 4,500 attacks already blocked.\u201d<\/p>\n

\u2018A hair on fire situation\u2019<\/h2>\n

Security consultants saw the hole as worrisome due to its capabilities, but tempered that statement by noting that most CISOs know enough to never trust plugins sufficiently to give them meaningful access.<\/p>\n

Flavio Villanustre<\/a>, SVP and CISO for LexisNexis Risk Solutions, said, \u201cThis one is quite significant because it allows unauthenticated threat actors to obtain password recovery tokens. On an unpatched WordPress installation running the Post SMTP plugin, an attacker can trigger a password recovery action for any user and then recover the token through this vulnerability, allowing for wide account takeover.\u201d <\/p>\n

But, he stressed, the biggest risk is for new users of the plugin. \u201cBecause there seem to be about 400,000 WordPress sites running this plugin and 200,000 new versions were downloaded in the past 7 days, there could be 200,000 WordPress sites still vulnerable,\u201d Villanustre pointed out.<\/p>\n

Gary Longsine<\/a>, CEO at IllumineX, agreed that the potential for major damage from this plugin hole is high.<\/p>\n

\u201cIf the WordPress system were installed using the system admin account, for example, a user who gains control of a WordPress administrator account might be able to read the system password database, create a new account on the host system, or maybe create a crontab entry which gets executed by the root admin account, which opens a back door login,\u201d Longsine said. \u201cAnother issue with defects in WordPress is that many of these installations are not maintained regularly. There\u2019s a long, long tail of unpatched WordPress blogs in the world.\u201d<\/p>\n

Bob Wilson<\/a>, cybersecurity advisor at Info-Tech Research Group,\u00a0is also concerned.<\/p>\n

\u201c[The vulnerability\u2019s] ease of exploitation, with no user interaction required and no special permissions needed, could allow an attacker to completely compromise a WordPress site,\u201d he said. \u201cThe risk is extremely high and I would call this a hair on fire situation. If you have this plugin installed, it should be patched or disabled immediately.\u201d<\/p>\n

Could enable a global attack<\/h2>\n

S\u0131la \u00d6zeren<\/a>, security research engineer at Picus Security, added that the security hole in this plugin doesn\u2019t merely threaten the company using it, but it mostly enables a launching point for a global attack.<\/p>\n

\u201cWhat makes [this hole] especially alarming is its chain potential: Once a WordPress instance is hijacked, attackers can inject scripts that steal credentials from visitors, plant SEO spam for monetization, or pivot into hosting infrastructure. A single misconfigured site can quickly become a node in a global attack network,\u201d \u00d6zeren said. \u201cIt\u2019s proof that the smallest coding omission can have the widest blast radius.\u201d<\/p>\n

The hole, \u00d6zeren said, is \u201ca textbook case of Broken Access Control, the top-ranked web application weakness in OWASP\u2019s Top 10<\/a>. The missing capability check in the plugin\u2019s PostmanEmailLogs constructor, a single unguarded function, is enough to compromise confidentiality, integrity, and availability in one step.\u201d<\/p>\n

In addition, \u00d6zeren said, \u201cThe exploit doesn\u2019t require any authentication or user interaction. As a result, it\u2019s easy to weaponize. Just three days after the disclosure, automated scanners were sweeping the internet and hitting thousands of WordPress sites. More than 400,000 installations were affected, and even after a patch was released, half of the sites remained unpatched days later. That is a huge target pool for opportunistic attackers.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The disclosure of a major security hole within a popular WordPress email plugin is a reminder to CISOs about the risks posed by relatively unsupervised plugins.\u00a0 The hole impacts Post SMTP, a WordPress plugin boasting more than 400,000 active installations, with more being activated every day.\u00a0 The hole, which has now been patched, allows \u201can […]<\/p>\n","protected":false},"author":0,"featured_media":5675,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5674","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5674"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5674"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5674\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5675"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}