In early October the popular Postman SMTP plugin was removed from WordPress.org due to security issues. The plugin had not been updated in two years and also contained a reflected cross-site scripting (XSS) vulnerability that was made public in June and left unfixed. The security researcher’s attempts to contact the plugin’s author, Jason Hendriks, were unsuccessful.
The plugin is used to improve the delivery of emails that WordPress generates and it logs the causes of failed emails to help eliminate configuration mistakes. It was installed on more than 100,000 sites before it was removed from WordPress.org.
Yehuda Hassine, a WordPress developer and longtime user of the plugin, decided to fork it for the sake of its users and because he thought it was a shame to see all the the original author’s hard work go to waste.
“As a fan of the amazing work Jason has done, I was amazed no one thought of taking it over,” Hassine said. “It’s a great plugin – Jason solved so many problems dealing with SMTP setup in WordPress. He worked so hard and the idea it might disappear shocked me. The plugin worked with almost zero bugs for the past two years.”
Hassine’s fork started on GitHub with fixes for the security issue, but he said he realized not having it on WordPress.org might be a problem for some users. He submitted it under a new name, Post SMTP Mailer/Email Log, and included a patch for the security vulnerability along with fixes for a few bugs with the Gmail API, Mandrill, and SendGrid. The next item on his roadmap is to fix a few issues with PHP 7 compatibility.
Hassine also requested to adopt the original plugin, as there is no way to contact the 100,000 users who depend on it. He said the WordPress.org plugin team denied his request at this time due to the number of users and his relative unfamiliarity in the community, as well as to give the original author more time to respond.
The Post SMTP Mailer/Email Log fork has been alive for a week and already has more than 1,000 users. Hassine said he is spending his free time getting to know the SMTP protocol and Hendriks’ original code. Postman SMTP users who want to switch to the fork can keep the same settings by simply deactivating the old plugin and activating the new one.
Hassine has committed to keeping the plugin free, as many of its users are somewhat technical and able to offer each other support. He said if the fork becomes popular and more difficult to maintain, he will consider a commercial model for support.
Users of the original Postman SMTP plugin had no way of learning about the reasons behind its disappearance except on third-party sites like the Wordfence blog or Facebook posts. The WordPress.org Meta team is currently working on developing a better way to communicate why certain plugins have been closed or removed from the directory. This is a high priority ticket item for the team and a solution should be in place when the next version of the plugin directory goes live.