Postman SMTP Removed From The WordPress Plugin Directory
If you have been around WordPress long enough, there are some plugins that you most likely consider a staple for every website you build. Postman SMTP is one such plugin. The sad news is, WordPress took down the popular plugin from its official WordPress Plugin Directory earlier last week.
The biggest problem with this is that WordPress and the plugin developers didn’t notify the plugin users. In our case, Wordfence Security was the saving grace. We do not know how many websites are still using this plugin unaware of the potential risk. Because such news travels fast in the black-hat world, hackers might be actively traversing the web searching for WordPress websites they can compromise. You can, however, install plugins like Wordfence Security to alert you of such occurrences.
Postman SMTP Makes Your Website Vulnerable
It was earlier noted that the plugin is prone to a cross-site scripting vulnerability. The entry describes the implications of such a vulnerability. One of the first reports according to Wordfence Security was 3 months ago.
WordPress Plugin Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.WordPress user UMCMS
For WordPress pros (like us), it is easy to edit the plugin to solve the issue with the vulnerability. Yet if you have developed a large array of websites, this might be a daunting task. WordPress recommends deactivating it and looking for alternatives in the time being. Wordfence Security made an entry describing the vulnerability in more detail.
Any Orphaned Dependancies?
Some of the most popular email ad form plugins like Formidable Forms recommend Postman SMTP. It is not yet clear how many (if any) plugins need it to run well. At this point, it is safe to say you can replace Postman SMTP with any of these alternatives.
What are the best alternatives?
There are a few good alternatives to Postman SMTP. It all depends on what you need from an SMTP plugin. Some of the top plugins on the basis of ratings are;
- WP Mail SMTP by WPForms
- WP Mail – WP SMTP – WordPress SMTP Plugin by Mail Bank
- Easy WP SMTP and;
- SMTP Mailer
Because these plugins all serve the same purpose, you might have to try each one of them.
We recommend disabling the Postman SMTP plugin until the vulnerability gets a patch. Our team is reviewing the best alternatives to find out which one is best for you. I will post a top 10 list here once we are through.
UPDATE 1 (04/11/2017):
WordPress developer yehudah has published a fork of the original plugin with the security flaw fixed. You can find it here. Installing it is a breeze since it uses the settings from the original plugin.