• This plugin stores password information in plain text. Our account was compromised.
    1) Why?
    2) Why is the warning placed at the bottom of the form and not on the top in BOLD RED LETTERS?

    If you use this plugin then please store the information in your wp-config.php file. But I would still be wary of using this plugin as this looks like a setup – it took only a few hours from using this plugin to the account being compromised.

    • This topic was modified 6 years, 4 months ago by pgray.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    Hi @pgray,

    I’m sorry that happened to you. But your review title is misleading.

    Your account was not compromised because we store the password in clear text.
    It was compromised because someone has access to your database (via a security flaw in some other plugin/theme or on the server itself). Again: you were hacked NOT BECAUSE OF WP Mail SMTP plugin. I would highly recommend using something like WordFence or Sucuri to review your site security.
    You should consider every piece of data that you store in your database (including all the data by all other plugins) being already compromised.

    Here are the answers to your questions:
    1) We need to store the password in clear text because we need to send this password to SMTP Host server in clear text. No other way around. Reversible password hashing is useless in this case.
    2) We place the warning right under the field where you enter your password. It’s totally fine to assume that users will read what is written in a description text of that field, do you agree? And with that text we provide a workaround of storing a password in a database before even you save your settings.

    Thread Starter pgray

    (@pgray)

    Hi Slava,

    Regret the negative review. This is my first and only review because I felt this needed to be shared.

    We use top of the line security including Wordfence so the issue doesn’t seem to be access to the database or the engine itself. This password seems to be displayed in plain text format on the admin page. Is this true?

    I am still investigating the possibility of a SQL injection – through a nasty plugin or something else but doubt if that is the case. Will let you know should we find it.

    With due respect, we use other systems that access remote SMTP servers without an issue – no such security vulnerability. So, I have a tough time agreeing with the premise that remote SMTP cannot be accessed securely.

    Nevertheless, place the warning in bold at the top, please!

    there is no excuse for storing passwords in cleartext, in 2019!

    I’m deleting this plugin on my system due to lack of action on the part of the developers on this serious security issue.

    Plugin Author Slava Abakumov

    (@slaffik)

    Hi, @mnr

    there is no excuse for storing passwords in cleartext, in 2019!

    Of course, that’s why you have a wp-config.php option of using constants with clear instructions of how to do that.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘STAY AWAY!! MAJOR SECURITY FLAW’ is closed to new replies.