Login

Tag Archives: Post SMTP

16 Feb 2024

Not Really a WordPress Plugin Vulnerability, Week of February 16

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ SQL Injection in POST SMTP

WPScan is claiming that the WordPress plugin POST SMTP had contained an admin+ SQL injection vulnerability. Presumably, they are claiming the attacker would need to be logged in as an Administrator, but that isn’t clear from their description that says “exploitable by high privilege users such as admin.” If it were only accessible by Administrators, that wouldn’t be a vulnerability unless there was also an issue with cross-site request forgery (CSRF). [Read more]

5 Dec 2023

Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Is Still Adding Vulnerable Code

In September, we wrote about how the WordPress plugin POST SMTP, which has 300,000+ installs, still contained SQL injection issues months after a public claim of a vulnerability involving that (and still does today). We also noted that the plugin was part of one of our competitors, Patchstack, Vulnerability Disclosure Program (VDP). The program doesn’t really make sense, as we noted at the time, because you are contacting a third-party security provider instead of the developer of software who can actually address vulnerabilities. It also wasn’t possible through that program to report security issues that are not vulnerabilities, despite the need for developer to address them. If a plugin developer is part of that program, it would suggest they lack an interest in properly securing their plugins, which the security of this plugin continues to point to.

While reviewing yet another attempt at a security fix in the plugin made on November 1, we noticed that new vulnerable code was being added to the plugin. That involves a failure to implement basic security and the plugin appears to contain multiple other vulnerabilities because of the other instance of the failure to implement that. [Read more]

8 Sep 2023

Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Still Contains Publicly Disclosed SQL Injection Issue

Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data provider WPScan released a rather vague report about a vulnerability in that in June. It lacks a lot of information, like what the vulnerable code is or how it was fixed. It does contain this note:

Note: The AJAX actions are also affected by SQL injections, making the issue easier to exploit by being able to choose which email to resend, for example the latest email related to a password reset [Read more]

25 Nov 2022

Not Really a WordPress Plugin Vulnerability, Week of November 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Blind SSRF in Post SMTP

Automattic’s WPScan claimed an admin+ blind SSRF vulnerability had existed in Post SMTP. The description doesn’t make sense: [Read more]

23 Aug 2019

Closures of Very Popular WordPress Plugins, Week of August 23

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and both of them have been reopened. [Read more]

16 Aug 2019

Cross-Site Request Forgery (CSRF) Vulnerability in Post SMTP

As part of the security review of the plugin Post SMTP that we did after it was selected for a review by our customers we found the plugin contains a cross-site request forgery (CSRF) vulnerability that would cause all of the plugin’s email logging to be deleted.

The plugin’s Email Log admin page is accessible to those with the plugin’s MANAGE_POSTMAN_CAPABILITY_LOGS: [Read more]

16 Aug 2019

WordPress Plugin Security Review: Post SMTP

For our 32nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Post SMTP.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]