ashes00

Good to know the as the slug is never released. Hopefully that stays the policy!

Wordfence reports on closed Plugins as a means to alert of possibly abandoned plugins that can be hijacked by a 3rd party, and used for malicious purposes. This is an extremely useful security feature. Wordfence also reports when a plugin has a known CVE which is another extremely useful function. It would still be nice for the authors to provide some sort of calming communication. I’m hoping it was closed for a missed bounced email, and not something worse.

I’m giving them 48 hours from initial discovery to respond here or on X with something meaningful. If not, then we must assume the worst from an OpSec perspective. We will have to disable, and move the SMTP plugin functionality to Fluent-SMTP. Next will be moving to a new Transactional Email Provider such as Amazon SES, SendGrid, Postmark, etc. All of this could be avoided if MailGun would just communicate in a meaningful way to its users. Talk about shooting yourself in the foot.

https://www.ads-software.com/plugins/fluent-smtp/

@mailgun, @sivel, @lookaheadio, @alanfuller, @m35dev any idea whats going on?

I can confirm the upgrade works. I have enabled the plugin again.

@dgwyer thank you for patching this plugin.

I can confirm the upgrade works. I have enabled the plugin again.

@dgwyer thank you for patching this plugin.

Tried to update, and it failed.

WordPress error: Update failed: Download failed. Not Found

I’ll try again in a few mins. Maybe its a CDN propagation issue.

@dgwyer Looking forward to that new release.

@dgwyer thank you for commenting on the issue sir!

All – I just sent the parent company WPGO a message on their contact page at https://wpgoplugins.com/contact-us/ asking for a response. If we do not get any response soon we should pry consider this plugin as abandoned, and move forward with complete removal. If you are reading this it is highly advised to disable the plugin for security. If you can do without the plugin it advised to disable, and remove the plugin 100% until there is a fix/patch. I personally will be removing this plugin from all of my sites after 1 week of no response from the author.

Author – Can you please acknowledge this issue? Silence is never a good sign. Thanks

Looks like the Freemius framework was already patched.
https://freemius.com/blog/freemius-wordpress-sdk-security-vulnerability/

I too am seeing this wordfence vulnerability notification. My attempt at reporting this as you have has my submission being held for moderation.

We need the author to acknowledge this situation, so we know whats going on.

Thats a dang shame! Crashed my site, and had to recovered from a backup. Thats when I figured it was this plugin. Good Bye WP-Crontrol. Guess I’ll check back in 2 months to see how this was handled by the author.

This is what I’m trying so far.

https://www.ads-software.com/plugins/searchwp-modal-search-form/

Thanks for the update.
I’ve swapped in a replacement search plugin already. When it comes to security concerns mitigation must move fast. I’ll continue to watch this plugin page, and once I see things have settled in I might swap Ivory Search plugin back in. Thanks for not taking days to respond!

~Ash