shinerweb

Michael, many thanks… it’s been that long since I paid any attention to plugin development. I’ve kind of noticed the swap in other plugins but hadn’t thought much of it.
Cheers for the speedy reply, much appreciated.

Chris

As you installed ContactForm7 ‘after’ installed WordFence, go to WordFence and re-enable training mode. If WordFence detects any issues with ContactForm7, you accept them. You can then switch off training mode.

• This reply was modified 6 months, 3 weeks ago by shinerweb.

https://patchstack.com/database/vulnerability/wp-edit-username/wordpress-wp-edit-username-plugin-1-0-4-cross-site-scripting-xss-vulnerability

https://www.cve.org/CVERecord?id=CVE-2023-47528

https://nvd.nist.gov/vuln/detail/CVE-2023-47528

WordFence is also highlighting the plugin has a security vulnerability.
Have you managed to get hold of those at PatchStack?

It does require Adminstration level access, which to be honest is a tadge weird. If I had Admin access to a website, I wouldn’t need to use a hack surely…

Never had any issues with WP Edit Username and something not quite right about this ‘claim’!

I’m seeing the same error, and clicking the “try to recreate again” option has no effect.
There are no errors on the server, nor in Popup Makers own error log.
Clicking the keep current method caused the error message to go away in my instance.
On checking the misc options, “disable asset caching” was still cleared.

I checked the permissions on pum-site-styles.css and pum-site-scripts.js which were both still dated as April 2022, and set to 644 which I’ve changed manually to 755 (to match the pum folder).

I don’t have any active pop-ups at present and I’ll try to spend a bit more time on this tomorrow. (I suspect the April 2022 cache files was the last time I had an active pop-up !!).

one method I’ve used is to change the password of the main account such that it fails. It should turn use the fall back service to complete the mail send.

See https://www.ads-software.com/support/topic/emptying-wfhoover-database-table/?replies=3

You could try using the following reg ex:

^(\+\d{2,4})?\s?(\d{2,4}|\(\d{2,4}\))?\s?[\d\s.-]{3,15}$

That should accept the following entries:

9999 99999-99
+99 999288432
(883) 892739723
+12 123 8293-76.238
123 234 879347-837
 (99) 9999-9999 
(99) 99999-9999

https://regex101.com/r/9vj9Jv/1

Looks like you are using Mandrill API, have you checked the settings on Mandrill?
I don’t know if it is still the case but under the advanced settings tab, you used to be able to set the From: address.

ah, in that case, there are no updates because it does what it says on the tin.
It works and works well and long may it continue to do so.

@yehudah the author is a busy guy but usually reacts quickly to fix any known major bugs or issues.

The plugin is most definitely not abandoned (AFAIK).
Which extra security risks do you refer to?

What version of WordPress and PHP are you using?
Do you have any plugins using an out of date JQuery version?

Can you paste the output of your diagnostic test below?

****** Note: I am just another regular user like yourself, not official support ******

A weird situation but it really can’t be coming from Post SMTP.

Post SMTP doesn’t generate emails (apart from error conditions and then it uses a fallback method). WordPress is generating the password change email and passing that to the WP Mail method. Post SMTP overrides the regular WP Mail method and takes over the sending of the emails.

Without Post SMTP activated your site will fall back to using your servers PHP Mail functionality. If you are not seeing the password reset emails without Post SMTP, it is likely they are still being generated but being blocked by your servers PHP mail restrictions or blocked as spam by the recipient email server. (PHP Mail is inherently unreliable which is the reason most people install Post SMTP).

Do you have any Password manager applications installed on the machine you are using?
Or a Browser addon that works in both regular and private/incognito browser sessions?
Have you tried a different machine / phone / laptop?

When editing the user profile page, it is WordPress itself that is detecting a change within the password field and then activating the “change of password email”.
Post SMTP has no part in any of that process until it receives the email send request.
You could try putting WordPress into full debug mode and hopefully that might spread some light within the logs.

What is even more confusing is many years ago, due to a bug with the Chrome browser not respecting the “do not autocomplete” switch, they put in steps to stop that field from being filled in automatically without the users input. That should work across all browsers and not just Chrome. Usually there is a button that you need to press prior to setting a new password so that field wouldn’t even be visible when you are viewing or editing a users profile.

One last thought, do you have any kind of membership plugin installed?
Or do you have any modifications within your functions.php file?
Whilst you say you have disabled all plugins via Troubleshooting mode, changes to your functions.php file are not always switched off when in Troubleshooting mode.

Un-tick the “prevent plugins and themes from setting this”

However if you do this and use a different domain in the email address, you must make sure that you set up the correct SPF and DKIM records (that authorises @gmail.com to send emails “on behalf of* your domain.
Failure to do that will mean most it not all of your emails will be marked as spam or rejected by the recipients mail server/application.

That has nothing to do with Post SMTP I’m afraid.

It is most likely that you have your browser set to auto complete. Each time you edited the users profile page, your browser filled in the hidden password field with “a saved password” of yours. As you clicked save or update on the users profile, it updated the users details AND their password.

When editing users profiles, switch off your browsers auto complete. If your password manager or browsers auto complete allows, add an exception using the profile URL. Or just temporarily disable auto complete.

Or

You could also use a different browser (or a guest browser profile) to edit users profiles. That new browser or guest browser profile will not have any passwords stored so won’t automatically complete that field. That will mean you will have to manually login to the admin dashboard because it won’t remember your password or username too.

But rest assured, it was most definitely not Post SMTP that initiated the password reset.

Regards

Chris

****** Note: I am just another regular user like yourself, not official support ******

• This reply was modified 2 years, 12 months ago by shinerweb.

Did you see this: PHP Warning

Looks like it could be something to do with translations/German Language file.