Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.
Published: 2025-08-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Saad Iqbal Post SMTP plugin allows an attacker to bypass normal authentication by using an alternate path or channel. The result is an account takeover, where the attacker can log in as any user, potentially assuming administrative privileges. The weakness is a classic Authentication Bypass (CWE‑288) that directly undermines the integrity of user access controls.

Affected Systems

WordPress sites that have the Saad Iqbal Post SMTP plugin installed, any version up to and including 3.2.0, are affected. This includes installations from the base 3.2.0 release backward. Site owners who rely on the original Post SMTP plugin for email delivery must verify the installed version and apply updates accordingly.

Risk and Exploitability

Classified as a high‑severity flaw with a CVSS score of 8.8, this issue is unlikely to be widely exploited currently, as indicated by an EPSS score of less than 1% and the absence of a listing in CISA’s KEV catalog. Nonetheless, because the vulnerability permits direct login impersonation, the exploitation would be straightforward for a skilled attacker—particularly if the WordPress site is exposed over the web. The attack vector would most likely involve sending crafted requests to the plugin’s authentication endpoints, requiring only network access to the site.

Generated by OpenCVE AI on May 2, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post SMTP plugin to a version newer than 3.2.0, or apply the latest available patch, to remove the authentication bypass flaw.
  • If the plugin cannot be updated immediately, temporarily disable it or remove its files to eliminate the attack surface.
  • Restrict administrative access to the WordPress dashboard to a small set of trusted IP addresses or enforce multi‑factor authentication, thereby reducing the impact of any remaining authentication weaknesses.

Generated by OpenCVE AI on May 2, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23940 Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0. Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpexperts
Wpexperts post Smtp
Vendors & Products Wordpress
Wordpress wordpress
Wpexperts
Wpexperts post Smtp

Thu, 07 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0.
Title WordPress Post SMTP plugin <= 3.2.0 - Account Takeover Vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpexperts Post Smtp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:04:08.090Z

Reserved: 2025-01-16T11:33:30.632Z

Link: CVE-2025-24000

cve-icon Vulnrichment

Updated: 2025-08-07T17:47:25.279Z

cve-icon NVD

Status : Deferred

Published: 2025-08-07T17:15:28.060

Modified: 2026-04-23T15:24:56.690

Link: CVE-2025-24000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses