WordPress Email and Auth Plugins Expose Sites to Admin Takeover and Data Theft
Multiple critical flaws in widely deployed WordPress plugins exposed sites to administrator takeover through broken REST API authorization, weak JWT handling, and sensitive data leakage. In Post SMTP, CVE-2025-24000 let any authenticated user read administrator-only email logs in versions through 3.2.0, while CVE-2025-11833 extended similar exposure to unauthenticated attackers in versions through 3.6.0; because password reset messages were stored in those logs, attackers could reset admin passwords and seize control of affected sites. RestroPress (CVE-2025-9209) exposed user tokens through /wp-json/wp/v2/users, enabling forged JWTs and full admin access, and miniOrange OAuth SSO (CVE-2025-9485) accepted forged JWTs because signatures were not verified, allowing login as arbitrary users including administrators. Copypress Rest API (CVE-2025-8625) combined a hard-coded JWT signing key with unrestricted file upload to enable unauthenticated remote code execution.
The pattern continued into active exploitation of Gravity SMTP (CVE-2026-4020), where an unauthenticated REST API endpoint exposed system reports containing WordPress and server details, plugin inventories, database information, and email-service credentials such as API keys, secrets, and OAuth tokens. Wordfence said exploitation required only a single request, reported blocking more than 17 million attempts, and urged defenders to upgrade to 2.1.5 and rotate exposed third-party email credentials. Across the affected plugins, vendors issued fixes including Post SMTP 3.3.0, miniOrange 6.26.13, and Gravity SMTP 2.1.5, while the Copypress plugin was temporarily closed; the incidents underscore how exposed REST endpoints and flawed token validation can quickly turn routine plugin features into full site compromise paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Wordfence discloses active exploitation of Gravity SMTP flaw
Wordfence disclosed that attackers were actively exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin. The company said exploitation was trivial via a single GET request to an unauthenticated REST API endpoint.
Gravity SMTP patched in version 2.1.5
The Gravity SMTP plugin was patched in version 2.1.5 to fix CVE-2026-4020, an unauthenticated sensitive information exposure issue. The bug affected versions up to and including 2.1.4 and could leak API keys, OAuth tokens, and other system details.
High-volume Gravity SMTP attacks continue through June 11
Wordfence said sustained high-volume exploitation of CVE-2026-4020 continued through June 11, 2026. Its firewall blocked more than 17 million exploit attempts targeting the vulnerable Gravity SMTP endpoint.
Gravity SMTP exploitation spikes on June 7
Wordfence reported the largest spike in exploitation attempts against CVE-2026-4020 on June 7, 2026. The flaw exposed sensitive configuration and email integration secrets through an unauthenticated REST API endpoint in Gravity SMTP.
RBI remediates assistant platform vulnerability within a day
Restaurant Brands International reportedly remediated CVE-2025-62645 within one day of disclosure. The vulnerability could have enabled administrative access across systems supporting more than 30,000 restaurant locations.
miniOrange releases OAuth SSO plugin version 6.26.13
miniOrange released version 6.26.13 to patch CVE-2025-9485, a JWT signature verification bypass in its OAuth Single Sign On plugin for WordPress. The flaw affected versions up to and including 6.26.12 and could allow forged administrator logins.
Copypress Rest API plugin temporarily closed
The WordPress Plugin Review Team temporarily closed the Copypress Rest API plugin after discovery of CVE-2025-8625, a critical unauthenticated RCE issue. The vulnerability affected versions 1.1 to 1.2 and enabled forged JWTs plus arbitrary file upload leading to code execution.
RBI assistant platform remained affected through September 6
CVE-2025-62645 affected Restaurant Brands International's assistant platform through 2025-09-06, exposing Burger King, Tim Hortons, and Popeyes systems to potential privilege escalation. The issue involved open Cognito registration, email verification bypass, GraphQL introspection, and an unauthorized createToken mutation.
WPExperts patches Post SMTP flaw in version 3.3.0
WPExperts fixed CVE-2025-24000 in Post SMTP version 3.3.0 by restricting sensitive REST API access to users with appropriate privileges. The flaw affected versions up to and including 3.2.0 and could let authenticated users access administrator email logs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourcePost SMTP CVE-2025-11833: Brief Summary of Critical Unauthorized Email Log Access in WordPress - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceCVE-2025-62645: Privilege Escalation in Restaurant Brands International Assistant Platform (Brief Summary) - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceRestroPress WordPress Plugin CVE-2025-9209: Brief Summary of Critical Authentication Bypass - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceOAuth SSO WordPress Plugin CVE-2025-9485: Brief Summary of Critical JWT Signature Verification Bypass - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceCopypress Rest API WordPress Plugin CVE-2025-8625: Brief Summary of Critical Remote Code Execution Vulnerability - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceAuthentication Bypass in Post SMTP WordPress Plugin (CVE-2025-24000): Technical Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Gravity SMTP Flaw Exposes WordPress Email Credentials
Attackers are actively exploiting **CVE-2026-4020** in the RocketGenius **Gravity SMTP** WordPress plugin to extract sensitive configuration data and live email-service credentials from vulnerable sites. The flaw affects versions **2.1.4 and earlier** and stems from an unauthenticated REST API endpoint, `/wp-json/gravitysmtp/v1/tests/mock-data`, whose permission check always returns true; when queried with `page=gravitysmtp-settings`, it can return a detailed JSON system report containing environment data, API keys, secrets, and OAuth tokens tied to providers including **Amazon SES, Google, Mailjet, Resend, and Zoho**. The plugin is installed on roughly **100,000** WordPress sites, raising the risk of credential theft and abuse of legitimate outbound email infrastructure for spam, phishing, or follow-on compromise. **Wordfence** said it blocked more than **17 million** exploitation attempts, including a spike of over **4 million** in a single day, while **CrowdSec** observed at least **412** attacking IPs during earlier scanning and attack activity. RocketGenius released a fix in **Gravity SMTP 2.1.5**, and defenders are being urged to update immediately, rotate any potentially exposed credentials, and review logs for suspicious requests to the vulnerable endpoint.
Jun 23, 2026
Active Exploitation of Critical WordPress Plugin and Theme Vulnerabilities for Admin Account Hijacking
Threat actors are actively exploiting critical vulnerabilities in popular WordPress plugins and themes, enabling the hijacking of administrator accounts and full site compromise. The Post SMTP plugin, installed on over 400,000 WordPress sites, is affected by CVE-2025-11833, a flaw that allows unauthenticated attackers to read arbitrary logged emails, including password reset messages, due to missing authorization checks. This exposure enables attackers to reset admin passwords and take over sites. Wordfence has observed over 4,500 exploit attempts since November 1, and a patch was released in version 3.6.1, but a significant number of sites remain unpatched and vulnerable. Similarly, the JobMonster WordPress theme is being targeted via CVE-2025-5397, an authentication bypass vulnerability that allows attackers to hijack admin accounts when social login is enabled. The flaw arises from improper verification in the `check_login()` function, letting attackers fake admin access if they know the username or email. The issue is fixed in version 4.8.2, and users are urged to update, disable social login, and enable two-factor authentication. These incidents highlight the ongoing risk posed by unpatched WordPress components and the need for immediate mitigation to prevent site compromise.
Mar 21, 2026
Critical Post SMTP Plugin Vulnerability Enables Mass WordPress Site Takeover
A critical vulnerability in the *Post SMTP* WordPress plugin, tracked as CVE-2025-11833, has exposed over 400,000 WordPress sites to potential account and website takeover. The flaw, present in all plugin versions up to and including 3.6.0, stems from missing capability checks in the `__construct` function, allowing unauthenticated attackers to reset passwords for any user, including administrators. Wordfence, which received the initial bug report via its bounty program, has already blocked more than 4,500 attack attempts, and exploitation activity has accelerated since early November. Security researchers warn that at least 210,000 sites remain at risk, with attackers leveraging the vulnerability to access password reset messages and hijack admin accounts. Website owners are strongly advised to update to the patched version released on October 29 or disable the plugin to prevent compromise. The incident follows a previous security issue (CVE-2025-24000) affecting the same plugin, highlighting ongoing risks for sites relying on outdated or unpatched WordPress extensions.
Mar 21, 2026