WordPress plugin hole enables account takeover

The disclosure of a major security hole within a popular WordPress email plugin is a reminder to CISOs about the risks posed by relatively unsupervised plugins. 

The hole impacts Post SMTP, a WordPress plugin boasting more than 400,000 active installations, with more being activated every day. 

The hole, which has now been patched, allows “an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website,” according to a post from WordPress security vendor Wordfence. It urges users to install the patched version immediately.

Neither Wordfence nor WordPress responded to CSO Online’s requests for comment.

Wordfence’s post said that they have already detected attacks in the wild leveraging the hole. “Our data indicates that attackers have already started targeting this vulnerability as early as November 1, 2025, with over 4,500 attacks already blocked.”

‘A hair on fire situation’

Security consultants saw the hole as worrisome due to its capabilities, but tempered that statement by noting that most CISOs know enough to never trust plugins sufficiently to give them meaningful access.

Flavio Villanustre, SVP and CISO for LexisNexis Risk Solutions, said, “This one is quite significant because it allows unauthenticated threat actors to obtain password recovery tokens. On an unpatched WordPress installation running the Post SMTP plugin, an attacker can trigger a password recovery action for any user and then recover the token through this vulnerability, allowing for wide account takeover.”

But, he stressed, the biggest risk is for new users of the plugin. “Because there seem to be about 400,000 WordPress sites running this plugin and 200,000 new versions were downloaded in the past 7 days, there could be 200,000 WordPress sites still vulnerable,” Villanustre pointed out.

Gary Longsine, CEO at IllumineX, agreed that the potential for major damage from this plugin hole is high.

“If the WordPress system were installed using the system admin account, for example, a user who gains control of a WordPress administrator account might be able to read the system password database, create a new account on the host system, or maybe create a crontab entry which gets executed by the root admin account, which opens a back door login,” Longsine said. “Another issue with defects in WordPress is that many of these installations are not maintained regularly. There’s a long, long tail of unpatched WordPress blogs in the world.”

Bob Wilson, cybersecurity advisor at Info-Tech Research Group, is also concerned.

“[The vulnerability’s] ease of exploitation, with no user interaction required and no special permissions needed, could allow an attacker to completely compromise a WordPress site,” he said. “The risk is extremely high and I would call this a hair on fire situation. If you have this plugin installed, it should be patched or disabled immediately.”

Could enable a global attack

Sıla Özeren, security research engineer at Picus Security, added that the security hole in this plugin doesn’t merely threaten the company using it, but it mostly enables a launching point for a global attack.

“What makes [this hole] especially alarming is its chain potential: Once a WordPress instance is hijacked, attackers can inject scripts that steal credentials from visitors, plant SEO spam for monetization, or pivot into hosting infrastructure. A single misconfigured site can quickly become a node in a global attack network,” Özeren said. “It’s proof that the smallest coding omission can have the widest blast radius.”

The hole, Özeren said, is “a textbook case of Broken Access Control, the top-ranked web application weakness in OWASP’s Top 10. The missing capability check in the plugin’s PostmanEmailLogs constructor, a single unguarded function, is enough to compromise confidentiality, integrity, and availability in one step.”

In addition, Özeren said, “The exploit doesn’t require any authentication or user interaction. As a result, it’s easy to weaponize. Just three days after the disclosure, automated scanners were sweeping the internet and hitting thousands of WordPress sites. More than 400,000 installations were affected, and even after a patch was released, half of the sites remained unpatched days later. That is a huge target pool for opportunistic attackers.”