As part of our website maintenance work, we stay appraised of security vulnerabilities and new developments that could impact your site.
This month, we were alerted by the Wordfence security team that a cross site scripting vulnerability had been discovered in a variety of email logging plugins, including Post SMTP, which we use to manage email delivery across many of our sites. This vulnerability open sites up to the possibility of being taken over by hackers exploiting the plugins.
The Wordfence team had already disclosed this vulnerability discovery privately and worked with the email logging plugin teams to ensure that the vulnerabilities were patched.
In the case of Post SMTP, versions lower than 2.5.7 contained the security issue. Within 4 minutes of receiving the email notification from Wordfence, our team had already put together a task list and plan for solving this issue. In this case, this is a very easy vulnerability to solve, as all that is required is to make sure that the plugin is updated on all sites. Within hours our team had checked every single site to ensure that all copies of Post SMTP or any other effected email logging / SMTP plugin were updated.
Fortunately, we discovered that during our maintenance procedures, we had already updated the plugin to 2.5.9 on all sites. This means that our maintenance clients were protected before the vulnerability was even disclosed, and it’s a good reminder of the importance of keeping plugins up to date to ensure that security patches are in place.
If you have an SMTP or email logging plugin on your WordPress site, check out Wordfence’s list of affected plugins and make sure that yours is up to date. To learn more about the security vulnerability, go to the official post. If you’re not on our monthly maintenance plan, check out the details and reach out to us here.