CVE-2025-67563

Vulnerability

Overview The Post SMTP plugin for WordPress, versions up to and including 3.6.1, contains a missing authorization vulnerability. The issue stems from a broken access control mechanism, where certain functions lack proper authentication or nonce token checks. This allows unprivileged users to execute actions that should require higher privileges [1].

Exploitation

Details An attacker can exploit this vulnerability without needing any prior authentication. The missing authorization check means that any unauthenticated user can trigger privileged functions. This type of access control flaw is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform actions normally restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive data. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity with low impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability has been addressed in version 3.6.2 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].