Authentication bypass / privilege escalation in Post SMTP WordPress plugin email log REST API

This repository is a small standalone Python exploit for CVE-2025-24000 affecting the Post SMTP WordPress plugin up to version 3.2.0. The repo contains only two files: a README describing the vulnerability, exploitation flow, requirements, and examples; and a single executable Python script, exploit_cve_2025_24000.py, which is the main entry point. The exploit is not part of a larger framework. The script automates a full authenticated privilege-escalation chain over web endpoints. It logs into WordPress as a low-privilege user through wp-login.php, accesses /wp-admin/ to scrape a WordPress REST nonce from page content, triggers a password reset for a chosen administrator account via wp-login.php?action=lostpassword, then abuses vulnerable Post SMTP REST API endpoints /wp-json/psd/v1/get-logs and /wp-json/psd/v1/get-details?id=<id>&type=show_view to read email logs that should be restricted to administrators. It searches returned log content for a password reset URL containing action=rp and outputs the recovered reset link, enabling takeover of the administrator account. Code structure is straightforward: helper functions implement login, nonce extraction, password reset triggering, log retrieval, email ID extraction, detailed log retrieval, and regex-based reset-link extraction. If log IDs are not present in the initial response, the script falls back to brute-forcing email IDs 1 through 20. The exploit uses Python requests with TLS verification disabled and relies on an authenticated session plus the X-WP-Nonce header for REST access. Overall, this is an operational exploit that provides practical account takeover capability rather than mere detection.