In early October the popular Postman SMTP plugin was removed from WordPress.org due to security issues. The plugin had not been updated in two years and also contained a reflected cross-site scripting (XSS) vulnerability that was made public in June and left unfixed. The security researcher’s attempts to contact the plugin’s author, Jason Hendriks, were unsuccessful. The plugin is used to improve the delivery of emails that WordPress generates and it logs the causes of failed emails to help eliminate configuration mistakes. It was installed on more than 100,000 sites before it was removed from WordPress.org. Yehuda Hassine, a WordPress developer and longtime user of the plugin, decided to fork it for the sake of its users and because he thought it was a shame to see all the the original author’s hard work go to waste. “As a fan of the amazing work Jason has done, I was amazed no one thought of taking it over,” Hassine said. “It’s a great plugin – Jason solved so many problems dealing with SMTP setup in WordPress. He worked so hard and the idea it might disappear shocked me. The plugin worked with almost zero bugs for the past two years.”
Share This