+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: Postman SMTP Plugin Forked after Removal from WordPress.org for Security Issues

WPTavern: Postman SMTP Plugin Forked after Removal from WordPress.org for Security Issues
photo credit: Jerry Kiesewetter

In early October the popular Postman SMTP plugin was removed from WordPress.org due to security issues. The plugin had not been updated in two years and also contained a reflected cross-site scripting (XSS) vulnerability that was made public in June and left unfixed. The security researcher’s attempts to contact the plugin’s author, Jason Hendriks, were unsuccessful.

The plugin is used to improve the delivery of emails that WordPress generates and it logs the causes of failed emails to help eliminate configuration mistakes. It was installed on more than 100,000 sites before it was removed from WordPress.org.

Yehuda Hassine, a WordPress developer and longtime user of the plugin, decided to fork it for the sake of its users and because he thought it was a shame to see all the the original author’s hard work go to waste.

“As a fan of the amazing work Jason has done, I was amazed no one thought of taking it over,” Hassine said. “It’s a great plugin – Jason solved so many problems dealing with SMTP setup in WordPress. He worked so hard and the idea it might disappear shocked me. The plugin worked with almost zero bugs for the past two years.”

Hassine’s fork started on GitHub with fixes for the security issue, but he said he realized not having it on WordPress.org might be a problem for some users. He submitted it under a new name, Post SMTP Mailer/Email Log, and included a patch for the security vulnerability along with fixes for a few bugs with the Gmail API, Mandrill, and SendGrid. The next item on his roadmap is to fix a few issues with PHP 7 compatibility.

Hassine also requested to adopt the original plugin, as there is no way to contact the 100,000 users who depend on it. He said the WordPress.org plugin team denied his request at this time due to the number of users and his relative unfamiliarity in the community, as well as to give the original author more time to respond.

The Post SMTP Mailer/Email Log fork has been alive for a week and already has more than 1,000 users. Hassine said he is spending his free time getting to know the SMTP protocol and Hendriks’ original code. Postman SMTP users who want to switch to the fork can keep the same settings by simply deactivating the old plugin and activating the new one.

Hassine has committed to keeping the plugin free, as many of its users are somewhat technical and able to offer each other support. He said if the fork becomes popular and more difficult to maintain, he will consider a commercial model for support.

Users of the original Postman SMTP plugin had no way of learning about the reasons behind its disappearance except on third-party sites like the Wordfence blog or Facebook posts. The WordPress.org Meta team is currently working on developing a better way to communicate why certain plugins have been closed or removed from the directory. This is a high priority ticket item for the team and a solution should be in place when the next version of the plugin directory goes live.

Source: WordPress

Related Post
WPTavern: WordPress 4.9 Will Support Shortcodes and Embedded Media in the Text Widget

WPTavern: WordPress 4.9 Will Support Shortcodes and Embedded Media in the Text Widget WordPress 4.8 brought TinyMCE to the core Text widget, along with brand new Image, Video, and Audio media widgets. The upcoming 4.9 release builds on this progress and will introduce some long-awaited improvements to Text widget. Users will finally be able to […]

Read more
WPTavern: WPWeekly Episode 292 – Recap of WooConf and CaboPress

WPTavern: WPWeekly Episode 292 – Recap of WooConf and CaboPress In this episode, John James Jacoby and I are joined by Cody Landefeld, co-founder of Mode Effect. Landefeld described his experience attending WooConf as we reviewed highlights from the State of the Woo. We also discussed WooCommerce retiring its Canvas theme in favor of Storefront. Jacoby […]

Read more
WPTavern: Goodnight Firebug

WPTavern: Goodnight Firebug Twitter is lighting up with sentimental Firebug remembrances today after Mozilla announced it will reach end-of-life in the Firefox browser next month. Firebug was the first browser-based tool that allowed developers to easily inspect HTML and debug JS. It was discontinued as a separate add-on and merged into Firefox DevTools in 2016 […]

Read more