I think this is probably why:
XSS Vulnerability and not updated
Removal from the repo is usually done when a plugin has unpatched security vulnerabilities and the developer isn’t responding (or at least responding quickly). Given that there is at least one known vulnerability that hasn’t been addressed and the developer rarely responds here and hasn’t updated the plugin for over a year, removal isn’t particularly surprising.
This was an incredibly well-crafted plugin, but I’ve had to stop using it on sites I support because it’s apparently become unsupported. Not too long ago the developer responded to a support request saying no updates have been made because none were necessary. That’s clearly not true, as now evidenced by the removal from the repo. It will be interesting to see if the developer now responds or if this is the end of the line for the plugin.
I used this plugin often as well. Can someone please recommend an alternative plugin to use?
The problem with both Google SMTP and Mail Bank is that both plugins only support standard SMTP. Some hosts (e.g. Bluehost) refuse to allow SMTP (the necessary ports are closed) for shared accounts. Postman SMTP was the only “simple” (i.e., not a full email service like SendGrid) SMTP plugin I know of that supported OAUTH2 AND the Gmail API–which doesn’t require an SMTP port. (Google SMTP SAYS it supports the Gmail API, but it’s incorrectly using the term to mean OAUTH2.)
What we need is a brave soul who will administer the fix that is outlined in the above link and take over the plugin and maintain it.
It really is/was the best mail plugin on WP
I have already applied the fix (it is only one line) but it would be better if this plugin was back on WP and being supported
Oh . . . I just posted the same question on another thread:
Hopefully he’ll reply and help us out 🙂
The best source for this vulnerability disclosure is the actual source here:
The fix is simply to change:
value=”<?php echo $_REQUEST[‘page’] ?>” />
on line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php
value=”<?php echo esc_attr($_REQUEST[‘page’]) ?>” />
This is untested but I’ll test it again the POC this weekend…
@ Jon Brown
I have change the source code with your fix,
all things works fine.
I’m keeping the development here:
security issue is fixed and a bug will google API.
More then welcome to download.
- The topic ‘removed from repo?’ is closed to new replies.