Back in June we disclosed a minor vulnerability in the plugin Postman SMTP that we had discovered. We were not able to contact the developer of the plugin and it hasn’t gotten fixed since we disclosed it. In the past we would have notified the Plugin Directory of the issue and the plugin would have been removed, but due to WordPress’ continued poor handling of security related matters we have suspended reporting publicly disclosed vulnerabilities in the current version of plugins until they take concrete steps to start notifying people when they are using removed plugins and improve their forum moderation (which causes problems for people trying to get vulnerabilities fixed).
Whether due to this vulnerability or something else the plugin was removed from the Plugin Directory yesterday. In looking to see if there was any information that indicated there might be some other issue with the plugin we noticed this recent tweet:
Sending WordPress email can get frustrating at times. Discover Postman SMTP to make email easy!https://t.co/xXZkmsswNX
— Ninja Forms (@ninjaforms) September 27, 2017
So the makers of a very popular contact, Ninja Forms, which has 900,000+ active installs, were recommending using a plugin with a known security vulnerability. It seemed possible that this wasn’t a new recommendation, just a new tweet for something they had written some time ago. But in looking at the linked post, it turned it was from September 27. It also turned out they were not just recommending the plugin, but also using it:
Postman SMTP is one of the two services that we recommend highly and use internally (the other being Mailgun). We’ll spend the next few minutes introducing them to you and covering the (very easy) setup process. Let’s look at making email easy again! 🙂
If Ninja Forms had been using our service they would have been notified back in June that they were using a plugin with a known vulnerability. We then could have helped them work out how best to handle the situation, including providing them a fix until the developer resolved the issue in a new version or they moved to another plugin. They then also could have avoided recommending something with a known vulnerability.
For those aware that there are other data sources available through plugins/services and thinking Ninja Form could have used them, think again. We just checked and found that the WPScan Vulnerability Database and ThreatPress, both of which we mentioned recently, don’t have the vulnerability in their data sets, even though it was publicly disclosed over three months ago.
The Ninja Form post also makes a claim that seems inaccurate, as one of the “three big reasons” given to use it is:
The plugin had not been updated in two years as of its removal yesterday and was only listed as being compatible with up to WordPress 4.4.
For those using a plugin that has been abandoned that they want to keep securely using them, we now offer a service for taking over and maintaining them, which includes us doing a security review like the ones we do for plugins suggested/voted for by the customers of our service.