Postman SMTP Plugin has been removed from WordPress Repositary – Why??

See https://www.ads-software.com/support/topic/removed-from-repo/.

Here’s the reason:

https://www.wordfence.com/blog/2017/10/postman-smtp-plugin-unpatched-vulnerability-removed-directory

@germankiwi that WordFence link isn’t a very good resource, they don’t even link to the original vulnerability update like most others being referenced (not to mention last I heard they weren’t protecting again this… apparently too busy writing marketing blog posts about it instead :shakes head:).

See: https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-postman-smtp/

Fix is simply to change:
value=”<?php echo $_REQUEST[‘page’] ?>” />
on line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php

to:
value=”<?php echo esc_attr($_REQUEST[‘page’]) ?>” />

@jb510 that’s a silly response. The Wordfence article is a perfectly good resource, because it answers the questions posed here by the OP.

The OP asked: Why has the SMTP plugin been removed from the repository? And should this be a concern to us? And do we need to start looking elsewhere? And can anyone shed some light on the matter?

*ALL* of those questions are addressed in the Wordfence article, in clear and straight-forward language, which is the reason the article was written.

The OP didn’t ask about the PHP code to fix the plugin, so the link you’ve provided is not pertinent to the question, although perhaps helpful to an advanced admin.

Also, Wordfence *has* been protecting its users against this XSS attack since *before* it was made public. They mention that in the article itself. Their article isn’t meant to be a tech article, so it’s quite silly for you to criticise it for not containing some technical details that you personally feel that it should. You’re obviously not their target audience.

Never mind @germankiwi, I think the response to the original source of the discovery was posted in the same spirit of indignation as your reply to it.

In any case, we are grateful to the people who have alerted the community to the vulnerability.

There is a patch that has been posted, and it doesn’t require advanced knowledge to implement it beyond opening the file mentioned and making the change, although a patch to a broken thing is just a sticking plaster that will eventually fall off if the plugin author has decided to abandon the plugin.

Since the author does not appear to be responding to any of the questions, or even trying to address the concerns of the people who are worried, now is probably a good time to investigate the alternatives.

Nobody knows why there has been no response. I can see how upset people are, and I can empathise too because I am one of the people who have (had) the plugin installed on quite a large number of sites.

On the other hand, I’m thinking that considering the fact the plugin hasn’t been updated in so long, it was a good reason to have stopped using it.

Now I can understand the intense pressure on the author, who provided a free plugin in the WP Repo, and who clearly moved on a while ago, is suddenly in the spotlight and under fire from all angles by people all over the world, and his name is up in lights on some of the major WordPress Security blogs.

Yes, he should respond, but wow, I am also really feeling for the dude right now.

The vulnerability that is being spoken about is a “proof of concept”.

Has anyone actually been exploited by this? I haven’t seen a single post where someone has verifiable proof that they have been compromised (yet).

Now that the weakness is exposed in public, it is almost an invitation for script kiddies to try their best.

It also probably means that the best course of action is to remove the plugin immediately and find an alternative, and as a community, let’s stick together and keeping helping each other out.

If I am feeling indignant, it is because that if the author was apparently able to be reached, as claimed by one of the respondents in the post written by the people who demonstrated the “proof of concept”, then why did the authors of the post not manage to do the same, and then follow the correct procedures by working with WordPress Core and the Author to release a patch before announcing it in public and disseminating widespread alarm.

I like this plugin also and used for many sites. Hope it will be continuously supported

i’m keeping the development here:

https://github.com/yehudah/Postman-SMTP

everybody more then welcome to download.

Hello,

Postman SMTP is removed and not maintained anymore.
I will continue submit updates to my copy of the plugin under new name:
https://www.ads-software.com/plugins/post-smtp

Everybody is more then welcome to download.

Thanks
Yehuda

Thanks Jon Brown!! For temporary fix.
Thanks yehudah too!! For continue the development.
I’m gonna change old one for new one ASAP.

@backfolder

So glad you see this and update to the new one.
Just deactivate the old and activate the new – Settings will be saved.