Yesterday one of the 1,000 most popular WordPress plugins, SMTP Mailer, was closed on the Plugin Directory. We are not following why it appears to be closed, as subsequent to the closure a new version was released with the following accurate chagelog entry, “SMTP Mailer no longer shows the saved password in the settings.”, and the plugin was reopened. Seeing as the password was shown on a page normally only accessible by Administrators and they normally have the ability to just about anything it isn’t clear what the issue was here that would justify the closure. When we went to try to get a better understanding of that we noticed there is a clear security vulnerability in the most recent version of the plugin, which could allow an attacker to cause logged in WordPress Administrators to send out emails without intending it.

When we went to look at the settings page we saw there also was a tab for sending a “Test Email”: [Read more]