SMTP Plugin Replaced Due to XSS Scripting Threat

SMTP to the rescue for WordPress email non-delivery

What is SMTP

The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use the protocol to send and receive messages.¹

WordPress has a built-in mail script, but unfortunately, there is a high delivery failure rate using wp_mail(), as many Internet Service Providers consider it insecure and blocked.  There is a presumption that the email being sent via WordPress is spam.  The fix for site owners who find that email is not being received is installing an SMTP plugin.

There are numerous reputable plugins of this genre.  There are many approaches, from setting up a plugin that uses the host setting for an email account and preferably SSL (so the email account’s credentials are used) to tying the mail delivery through Google Gmail and their OAuth credentialling.

Postman SMTP was the go-to plugin for this type of need for a considerable time.  This was a cornerstone of a web developer’s toolbox with thousands of installations, a reputation for terrific performance, and great reviews.  Recently, an XSS vulnerability was identified with the plugin, and its author reportedly didn’t have time to revise the code. As a result, pulled the plugin from its repository.  A plugin is removed to prevent new installations when it presents a high-security risk.

Unfortunately, it took a while for news of the issue to reach the community.  When it did, another developer, who, like most of us, valued the necessary functionality of Postman SMTP and committed to taking on the plugin.  He quickly fixed the plugin, renamed it Post SMTP, and submitted it to for review.  They approved, and already at this publication date, the plugin has over 7K installs.

Help! I still have the plugin installed and active on my site.

The fix is simple for anyone with the original Postman SMTP plugin still active on their website.  It took me about 15 minutes per client site with the following steps.

  1. Back up your database first (always a good idea before any updates).
  2. Login to your website admin and go to Plugins | Installed Plugins | Postman SMTP | Deactivate (don’t delete it yet!)
    • Go to Plugins | Add new | enter Post SMTP in the search window.
    • Install Post SMTP
    • Activate Post SMTP
    • Settings from Postman SMTP will still be present (stored in the same data tables)
    • On my installs, I used Google Gmail and OAuth – I clicked on the option to revalidate
    • Send yourself a test email.
    • If all works well, then return to your Plugins | Installed Plugins | Postman SMTP | Delete
    • Clear any caches

Other reputable options are available

Other reputable plugins are available – search within the WordPress plugin repository and examine the rankings, compatibility with the latest WordPress core version, support threads, and possibly the changelog.  Replacing this critical tool is not to be done lightly and without testing.

What Exactly is XSS Cross Site Scripting?

Below is an excellent article that explains what it is and why it’s so dangerous to allow a known vulnerability to exist on your website:

¹ Definition Source via WikiPedia