Thanks for letting us know!
We will look into it and get back to you with an update.
You are right!
The correct WordPress plugin range is < 1.2.0. The wrong < 2.2.0 came from conflicting upstream references: the CVE, SEC Consult advisory, and vendor 2.2.0 release note use 2.2.0, while WordPress vulnerability sources such as WPScan and Wordfence map the affected plugin versions to < 1.2.0.
Our merge logic was choosing the wrong side of that conflict, and we fixed it.
Thanks again for reporting this, @gabriel-reguly !
Nice to see it fixed.
Looks like a promising plugin.
Today I got another false positive, but looks like it is already fixed.
“Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App [post-smtp] < 8.0.8”
Keep up the good work.
Cheers,
Gabriel
Yes, I double-checked and it looks like the latest update fixes this issue as well.
It also seems this plugin has some inconsistent versioning too. I’m not sure why versioning scheme changed.
Please let us know if you have any other feedback.
