Postman SMTP Plugin Forked after Removal from WordPress.org for Security Issues

photo credit: Jerry Kiesewetter

In early October the popular Postman SMTP plugin was removed from WordPress.org due to security issues. The plugin had not been updated in two years and also contained a reflected cross-site scripting (XSS) vulnerability that was made public in June and left unfixed. The security researcher’s attempts to contact the plugin’s author, Jason Hendriks, were unsuccessful.

The plugin is used to improve the delivery of emails that WordPress generates and it logs the causes of failed emails to help eliminate configuration mistakes. It was installed on more than 100,000 sites before it was removed from WordPress.org.

Yehuda Hassine, a WordPress developer and longtime user of the plugin, decided to fork it for the sake of its users and because he thought it was a shame to see all the the original author’s hard work go to waste.

“As a fan of the amazing work Jason has done, I was amazed no one thought of taking it over,” Hassine said. “It’s a great plugin – Jason solved so many problems dealing with SMTP setup in WordPress. He worked so hard and the idea it might disappear shocked me. The plugin worked with almost zero bugs for the past two years.”

Hassine’s fork started on GitHub with fixes for the security issue, but he said he realized not having it on WordPress.org might be a problem for some users. He submitted it under a new name, Post SMTP Mailer/Email Log, and included a patch for the security vulnerability along with fixes for a few bugs with the Gmail API, Mandrill, and SendGrid. The next item on his roadmap is to fix a few issues with PHP 7 compatibility.

Hassine also requested to adopt the original plugin, as there is no way to contact the 100,000 users who depend on it. He said the WordPress.org plugin team denied his request at this time due to the number of users and his relative unfamiliarity in the community, as well as to give the original author more time to respond.

The Post SMTP Mailer/Email Log fork has been alive for a week and already has more than 1,000 users. Hassine said he is spending his free time getting to know the SMTP protocol and Hendriks’ original code. Postman SMTP users who want to switch to the fork can keep the same settings by simply deactivating the old plugin and activating the new one.

Hassine has committed to keeping the plugin free, as many of its users are somewhat technical and able to offer each other support. He said if the fork becomes popular and more difficult to maintain, he will consider a commercial model for support.

Users of the original Postman SMTP plugin had no way of learning about the reasons behind its disappearance except on third-party sites like the Wordfence blog or Facebook posts. The WordPress.org Meta team is currently working on developing a better way to communicate why certain plugins have been closed or removed from the directory. This is a high priority ticket item for the team and a solution should be in place when the next version of the plugin directory goes live.

8 Comments


  1. It would be great if we could get a list of “orphaned” plugins. This was we can educate ourselves and possibly adopt some of them.

    Report

    Reply

  2. I searched for Postman over the weekend and was confused why I could not find it.

    Clicking on a link to Postman SMTP redirected me to the main WordPress plugin page.
    Then, there was the similarly named Post SMTP Mailer/Email Log. Did the plugin have a new name? Did I remember the wrong name? Should I download it from an alternate source?

    It’s ridiculous that a plugin can be removed due to security reasons and there’s no explanation left behind.

    Report

    Reply

    1. Hi Alan,
      As the article explained Postman SMTP removed because of a security issue.
      Security releated stuff can’t be explained to not hurt the users that still using it.

      I have used the last version and updated it.
      I used new name because the original name is still used in the WordPress directory nothing else.
      You can be sure it’s completely safe to download my version.
      All of your settings will be saved.

      Report

      Reply

      1. Yehuda,

        I installed your plugin yesterday and it’s working great.
        Thank you for picking it up.

        Report


  3. I am happy to hear this plugin will continue to be supported. Thank you Yehuda for taking over a wonderful plugin!

    I updated about 50 websites with the plugin today.

    Report

    Reply

  4. Thumbs up for Yehuda!
    His fork works like a charm.
    It’s incredible users of former versions can’t even go to the original WP repo page and get some info about what happened and where the new version is to be found…

    Report

    Reply

  5. Thanks Yehuda. You have helped many by adopting Postman. Any plan/road map for new features?

    Report

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *