Postman SMTP Plugin With Unpatched Vulnerability Removed From Directory

We have received a number of questions regarding the Postman SMTP plugin which was removed from the WordPress.org directory this week. According to an archived snapshot, the plugin is installed on over 100,000 websites. We assume it was removed because it contains a publicly known reflected cross-site scripting (XSS) vulnerability that has not been fixed. Both Wordfence Free and Premium users who have the firewall enabled have been protected against attempts to exploit this vulnerability from day one. In addition, we alerted all Wordfence users who have the plugin installed when it was removed from the plugin directory.

Timeline

On June 29, an unnamed security researcher published the details of the vulnerability, including a proof of concept. A proof of concept is a demonstration that shows the plugin author (and in this case the entire internet, including potential attackers) how to exploit the security vulnerability. The security researcher had apparently attempted to reach the author but had been unable to.

On October 4 (we think, as we have no way of confirming the exact date), the WordPress.org directory team removed the plugin.

Also on October 4, someone named Diego (no last name given) reported in comments on the original vulnerability disclosure post that he had reached the author, so hopefully a fix will be released soon.

Wordfence Firewall Includes Robust XSS Protection

The Wordfence firewall includes protection against new and emerging XSS attacks. Both Wordfence free and Premium users have been protected against this attack since (and before) it was made public. This is a great example of why using a firewall to protect your website is so important: you are immediately protected against most new threats.

In cases where we don’t already protect against a new threat, we develop a new firewall rule, deploying it to our Premium customers in real-time and free customers 30 days later. This ‘virtual patching’ by our security analysts and developers keeps your sites safe.

Wordfence Alerts You When Plugins Are Removed From WordPress.org

When plugins you have installed on your site are removed from WordPress.org, Wordfence alerts you. There is a long list of reasons why the plugin team at WordPress.org might remove a plugin from the directory. One common reason is that someone has discovered a security vulnerability that has not yet been fixed. Since they don’t publicly announce that plugins have been removed, nor why, it is prudent for site owners to treat the plugin as a potential security risk and take reasonable precautions.

We wrote at length about how to handle this situation when we released this feature back in June as a part of the 6.3.11 release.

What To Do

If you have the Postman SMTP plugin installed on your site, we suggest that you remove it immediately. It contains an unpatched security vulnerability and it appears the author may have abandoned it.

If you haven’t already, we suggest that you install Wordfence on all of your WordPress websites. It will alert you when your plugins have been abandoned or removed from the the WordPress directory. Its firewall will also protect you against new and emerging attacks.

Finally, consider upgrading to Wordfence Premium if you haven’t already. The real-time firewall rule updates will protect you from the latest threats. In addition, the real-time IP blacklist will stop all attacks from the most malicious IPs, regardless of what they’re up to.

Did you enjoy this post? Share it!

Comments

24 Comments
  • Hi Mark,

    If I have the Postman SMTP plugin AND Wordfence installed, is it still necessary to remove Postman SMTP? Or will Wordfence cover me against XSS attempts while we wait a few days and see if the plugin gets updated?

    Thanks, David.

    • Hi David, that's a judgement call. You are protected against the XSS epxploit attempts, but since the plugin appears to be abandoned it is hard to say what else might be discovered and exploited in the future. If it were my site I would remove it.

  • Thank you for the heads' up on this! Do you have any recommendations for plugins that can be used to replace the functionality of the Postman SMTP plugin??

    Thanks!

    • I am personally using the Gmail SMTP plugin since discovering that Postman was removed from the Wordpress plugin directory. I was using Postman because it provided the ability to send mail via the Gmail OAuth, which is a good secure option for sending mail from websites and does not require you to change your Google Admin settings to send from unsecured programs (I might have butchered the name of that setting). It seems to work just as well as Postman did.

      If you're not relying on Google/Gmail OAuth and you're just putting in SMTP server, ports, logins, and that sort of thing, Easy WP SMTP is a pretty easy to set up solution.

      Just make sure you disable Postman before adding any new plugins as you don't want to cause a conflict between the active plugins.

  • Thanks for bringing this in our notice, I have been using this plugin since I create my site, Yes this plugin was not updating regularly. So all we have to just remove the plugin that's all we need to do at this point?

    • Yes, removing the plugin from your site mitigates the risk related to the unpatched XSS vulnerability completely.

  • Since this got posted I moved over to Gmail SMTP which has similar functionality (although not quite as intuitive interface).

  • Thanks! I just removed the plugin.

    Is there a good free replacement?

    jb

  • There is an older version of this plugin still out in the repository - Postman Gmail API Extension - https://wordpress.org/plugins/postman-gmail-extension/

    This hasn't been updated in 2 yrs. If you have this version you might want to uninstall as well.

  • I recommend as a replacement the "WP Mail SMTP by WPForms" I've been using it for a long time and it's well-suited for my needs, works like a charm.
    https://wordpress.org/plugins/wp-mail-smtp/

    • This is the plugin I always use as well. Very simple to configure and works great.

  • This is a bit off topic, but its along the same lines.

    I have had Two plugins that required an update in the last few day's, I received a notification from WordFence (the best security software that's ever been recommended to me, ever) however after after installing the update, I get warnings that "This file belongs to plugin "WP XXXX" version "12.x.x" and has been modified from the file that is distributed by WordPress.org for this version.
    Is it that WordFence has not received the updated plugin (it's the free version i'm using) or should i be worried and revert back to the previous version?

    Any help would be most gratefully appreciated

    Robert

    • Hi Robert, we are unable to provide support in the comments of our blog posts, but if you use the free version of the plugin, please feel free to post in our support forums, and if you're a Premium user, please submit a support ticket by logging in to your Wordfence.com account and clicking on the SUPPORT button. Our support team will be happy to help you either way!

  • We use WP Engine for site hosting. WPE blocks all SMTP ports so you cannot use SMTP for Email transport. However, Postman supports the API's for both Mandrill and Gmail and gets around the no-SMTP issue. Lookng at the mail plugins on WordPress.org there are only a few that use the API's as opposed to SMTP.

    There is a plugin from Mandrill that supports their API. It mangles any plain text Email (like a password reset Email) so I favored Postman over the solution form the vendor. In my reseaarch, I see the Mandrill plugin offers a hook to prevent the plain text alterations and I can code that, but Postman works out of the box with no changes.

    The fix was identified as a change to a single line of code. I plan to try that out against the bug's proof of concept.

    Nothing else was as complete as Postman. I hope the author will make the update.

    • Thanks Diego, both for the this update and for your continued support on the Wordpress Support forum as this issue unfolded. And I agree with you, big thanks are also due to Yehuda for the bug fixes, for taking the lead in maintaining the plugin, and for getting the plugin reinstated in the WP plugin repository.

      I also want to acknowledge and thank you, Dan Moen and rest of the Wordfence team for your proactive efforts to bring this issue to my attention. Without that security alert, it could have taken months before I even suspected there was a problem.

      Finally, to all of you who participated openly, or behind the scenes, I send blessings and gratitude. I am honored and humbled to bear witness to the exemplary teamwork and spirit of community that has emerged during the course of this entire undertaking. My world is made a far better and brighter place by the presence of people like you in it.

  • So what to use?
    Some of my site has problems sending forms and it help them send the forms

  • Someone named Yehuda Hassine has uploaded a fixed version in GitHub (https://github.com/yehudah/Postman-SMTP).

    I can see he has modified the following files:
    • /Postman-Auth/PostmanGoogleAuthenticationManager.php
    • /Postman-Auth/PostmanMicrosoftAuthenticationManager.php
    • /Postman-Auth/PostmanYahooAuthenticationManager.php
    • /Postman-Email-Log/PostmanEmailLogController.php
    • /Postman-Email-Log/PostmanEmailLogService.php
    • /PostmanAjaxController.php
    • /PostmanUtils.php

    He has used FILTER_SANITIZE_STRING and intval.

    Thank you Wordfence for protecting my sites. Even though I was running Postman SMTP in most of them, they kept protected thanks to your awesome plugin. I can asure that because I launched an attack over my own sites and Wordfence repelled all of them.

  • This literally got removed as I was installing it into 3 sites.

    I found it as it allowed you to send custom headers. Installed it into one site, configured and tested, then went to add it to the other 2 sites and poof, it was gone.
    Thinking it was a glitch I downloaded it from the first site and uploaded to the other 2.

    Removed after seeing this post a couple of days later but I didn't get any emails about it being removed from the directory.

    Bit of a shame as it was the only one I could find that allowed custom headers and had a nice logging functionality.

  • The version of Postman SMTP on GitHub is updated to fix that issue. https://github.com/yehudah/Postman-SMTP

    • I wonder if Jason Hendriks (the original author of Postman-SMTP) has been contacted regarding this fix. Perhaps he would be willing to let others contribute to this plugin or alternatively take over the plugin on wordpress.org.

      • I've found there is some discussion on continuing development of Postman-SMTP at https://wordpress.org/support/topic/continuing-development-2/

  • Thanks Diego!

  • BIG NEWS!

    The patched version of “Postman SMTP Mailer/Email Log” by Yehuda Hassine (@yehudah, our hero, props to him!) has got approved in the WordPress Directory. Fortunately, in the end, “Postman SMTP Mailer/Email Log” is going to survive, under the name of “Post SMTP Mailer/Email Log”. You can find it in the WordpPress directory in: https://wordpress.org/plugins/post-smtp/. On the other hand the Github repo has been moved here: https://github.com/yehudah/Post-SMTP.

    Jason Hendriks (the original author) remains as a contributor but Yehuda Hassine will take the lead.

    Yehuda Hassine not only patched the aforesaid vulnerability, he has also fixed another bug that had been around for more than 6 months.

    Long life to "Post SMTP Mailer/Email Log"!

    Thank you Yehuda!

  • Thanks Diego, both for this update and for your continued support on the Wordpress Support forum as this issue unfolded. And I agree with you, big thanks are also due to Yehuda for the bug fixes, for taking the lead in maintaining the plugin, and for getting the plugin reinstated in the WP plugin repository.

    I also want to acknowledge and thank you, Dan Moen and rest of the Wordfence team for your proactive efforts to bring this issue to my attention. Without that security alert, it could have taken months before I even suspected there was a problem.

    Finally, to all of you who participated openly, or behind the scenes, I send blessings and gratitude. I am honored and humbled to bear witness to the exemplary teamwork and spirit of community that has emerged during the course of this entire undertaking. My world is made a far better and brighter place by the presence of people like you in it.