A security flaw in the Post SMTP WordPress plugin has put around 400,000 sites at risk of account takeover. Attackers can exploit this vulnerability to gain unauthorized access to user accounts. Site owners need to update the plugin immediately to protect their sites.

More than 200,000 WordPress websites are at risk due to a vulnerability in the Post SMTP plugin that allows low-privileged users to hijack administrator accounts. The flaw, identified as CVE-2025-24000, stems from inadequate permission checks in the plugin's REST API, enabling unauthorized access to sensitive email logs. Although a fix was released in version 3.3.0, many users have yet to update, leaving them exposed to potential attacks.

A critical vulnerability in the Forminator plugin for WordPress, tracked as CVE-2025-6463, allows unauthenticated arbitrary file deletion, which could lead to full site takeover. The issue affects all versions up to 1.44.2 and is due to insufficient input validation, enabling attackers to delete essential files like wp-config.php. Users are urged to update to version 1.44.3 to mitigate the risk.