Wordfence Vulnerability Severity: 9.8/10.0 (Critical)

CVSS 9.8 (Critical)!

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fluent-smtp/fluentsmtp-wp-smtp-plugin-with-amazon-ses-sendgrid-mailgun-postmark-google-and-any-smtp-provider-2282-unauthenticated-php-object-injection

When will it be fixed??

Note that there is no known POP chain present in this plugin so it would likely take an additional plugin or theme for an unauthenticated user to be able to actually inject a PHP object. The vulnerability was partially patched in version 2.2.82 and seems to be more fully patched in the latest 2.2.83 version. I would recommend updating your sites to the latest version and you should be good.

To clarify here for folks new to vulnerability reports, the key is the part I’ve bolded in the report’s title:

“FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider <= 2.2.82 – Unauthenticated PHP Object Injection”

That means versions less than and equal to 2.2.82 are affected. Versions higher than 2.2.82 are not affected.

Version 2.2.83 was released 2 weeks ago and is not affected.

Always keep your plugins up to date: https://www.ads-software.com/documentation/article/plugins-themes-auto-updates/#enable-auto-updates-for-plugins

Hello @razorfrog,

Thanks for your concern and I hope by this time you are using the latest version that is unaffected with this vulnerability.

Hello @macmanx,

We also thank you for your time to clarify the situation.