removed from repo?

I think this is probably why:
https://www.ads-software.com/support/topic/great-plugin-15376/
XSS Vulnerability and not updated

Removal from the repo is usually done when a plugin has unpatched security vulnerabilities and the developer isn’t responding (or at least responding quickly). Given that there is at least one known vulnerability that hasn’t been addressed and the developer rarely responds here and hasn’t updated the plugin for over a year, removal isn’t particularly surprising.

This was an incredibly well-crafted plugin, but I’ve had to stop using it on sites I support because it’s apparently become unsupported. Not too long ago the developer responded to a support request saying no updates have been made because none were necessary. That’s clearly not true, as now evidenced by the removal from the repo. It will be interesting to see if the developer now responds or if this is the end of the line for the plugin.

I used this plugin often as well. Can someone please recommend an alternative plugin to use?

Thanks

Alternatives (OAuth2 Focused)

• Google SMTP
• WP Mail – Mail Bank

• This reply was modified 7 years, 1 month ago by Vlass Contreras. Reason: Readability

The problem with both Google SMTP and Mail Bank is that both plugins only support standard SMTP. Some hosts (e.g. Bluehost) refuse to allow SMTP (the necessary ports are closed) for shared accounts. Postman SMTP was the only “simple” (i.e., not a full email service like SendGrid) SMTP plugin I know of that supported OAUTH2 AND the Gmail API–which doesn’t require an SMTP port. (Google SMTP SAYS it supports the Gmail API, but it’s incorrectly using the term to mean OAUTH2.)

What we need is a brave soul who will administer the fix that is outlined in the above link and take over the plugin and maintain it.

It really is/was the best mail plugin on WP

I have already applied the fix (it is only one line) but it would be better if this plugin was back on WP and being supported

steveb123, would you mind to share the fix?

Oh . . . I just posted the same question on another thread:
https://www.ads-software.com/support/topic/great-plugin-15376/#post-9562819

Hopefully he’ll reply and help us out ??

LL

https://www.ads-software.com/support/topic/great-plugin-15376/#post-9561683

https://www.ads-software.com/support/topic/postman-smtp-maileremail-log-is-prone-to-a-cross-site-scripting-vulnerability/

is the real link

Here’s the reason:

https://www.wordfence.com/blog/2017/10/postman-smtp-plugin-unpatched-vulnerability-removed-directory

The best source for this vulnerability disclosure is the actual source here:
https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-postman-smtp/

The fix is simply to change:
value=”<?php echo $_REQUEST[‘page’] ?>” />
on line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php

to:
value=”<?php echo esc_attr($_REQUEST[‘page’]) ?>” />

This is untested but I’ll test it again the POC this weekend…

@ Jon Brown

I have change the source code with your fix,
all things works fine.

THANKS!!!!

I’m keeping the development here:

https://github.com/yehudah/Postman-SMTP

security issue is fixed and a bug will google API.

More then welcome to download.

Hello,

Postman SMTP is removed and not maintained anymore.
I will continue submit updates to my copy of the plugin under new name:
https://www.ads-software.com/plugins/post-smtp

Everybody is more then welcome to download.

Thanks
Yehuda