Support » Plugin: Postman SMTP Mailer/Email Log » Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability

  • WordPress Plugin Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin Postman SMTP Mailer/Email Log version 1.7.2 is vulnerable; prior versions may also be affected.

    Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available.

Viewing 15 replies - 16 through 30 (of 38 total)
  • Hey @yehudah,
    Thank you so much for fixing this for us!

    What is the best way to make these updates so we don’t lose our current settings in the plugin, please?

    Thank you again!

    LL

    Hey @leopard-lady,

    Just turn off the plugin overwrite with my version and turn on the plugin again.
    You are welcome to open any issues in link I posted.

    Awesome. Thank you so much! You ROCK 🙂

    @diegocanal
    Fixed the issue, like to hear your feedbacks or anyone else.

    https://github.com/yehudah/Postman-SMTP

    Many, many thanks @yehuda for the two fixes, provided at no charge, you’re awesome! I know you want to keep this a zero-cost plugin, that’s so cool.

    And thank you @diegocanal for jumping in with another bug report, for contacting the author, and keep us all informed as this issue unfolds!

    With gratitude,
    Bodhi

    Time for adoption?

    @yehudah
    First, thank you for your hard work on this. I join the others in thanking you for your efforts.
    Using the approach you indicated to deactivate the plugin, overwrite the files and then reactivate it, I installed the plugin code you provide at GitHub. While the new code is working and emails are being sent, I have found one apparent issue.
    For the code to work on the host I use for several clients that blocks SMTP access to send through Google’s servers, the only option that works is the Gmail API option. While I can manually add the values needed on the Account tab to select this, the Wizard won’t select this option. When I run the Wizard, it counts down through all of the connectivity test options, but doesn’t show Gmail API or any other option as selected after it completed the Connectivity test. Nothing appears below “Your connection settings depend …” If I then click on the Next button, the Connectivity Test flag turns red. The wizard won’t go any further.
    If I overwrite your revised code with the code for the original plugin, the Connectivity test completes and indicates Gmail API is the recommended solution. I can then complete the next steps in the wizard.
    Please let me know if you have any questions or if you need any more information from me.
    Once again, thank you for your work on this!
    Scott

    @scott5598 & others finding problems – I’d recommend you add your problem as an issue at https://github.com/yehudah/Postman-SMTP/issues.

    This provides an easy to access list of current issues for developers willing to contribute to the ongoing development of this Postman-SMTP fork.

    Good suggestion! I just posted it to GitHub.
    Thanks Neil!

    That’s great 🙂 – I see it’s already getting some action https://github.com/yehudah/Postman-SMTP/issues/3

    BIG NEWS!

    The fork (fixed version) by @yehudah (props to him!) has got approved in the WordPress Directory. This is so great as (in the words of @buzztone) it definitely provides a much easier option for most WordPress users to replace their current Postman-SMTP install ( which they should do urgently because it has a serious security vulnerability). You can find it in https://wordpress.org/plugins/post-smtp/.

    The Github repo has been moved here: https://github.com/yehudah/Post-SMTP.

    All of us should be so excited that now we know Postman SMTP Mailer/Email Log is going to survive, with its new shiny name Post SMTP Mailer/Email Log.

    Long life to Post SMTP Mailer/Email Log! Thank you @yehudah!

    Rob

    (@robdobson)

    That’s great news! Thank you @yehudah!

    So if I uninstall Postman SMTP and install Post SMTP Mailer/Email Log will all my settings be retained? Or should I install the Post SMTP Mailer plugin first?

    Thanks in advance.

    Congratulations, that’s great news!

    As the plugin name has changed, some simple instructions on how to install this new version OVER and existing Postman installation, without losing existing settings, would be more than welcome.

    I just installed it and then deactivated the Postman plugin and all was good, settings in place

    @steveb123
    Thanks for the update!

    Everyone this is the same plugin (plus a few fixes) except the name.

Viewing 15 replies - 16 through 30 (of 38 total)
  • The topic ‘Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability’ is closed to new replies.