I’m giving them 48 hours from initial discovery to respond here or on X with something meaningful. If not, then we must assume the worst from an OpSec perspective. We will have to disable, and move the SMTP plugin functionality to Fluent-SMTP. Next will be moving to a new Transactional Email Provider such as Amazon SES, SendGrid, Postmark, etc. All of this could be avoided if MailGun would just communicate in a meaningful way to its users. Talk about shooting yourself in the foot.
https://wordpress.org/plugins/fluent-smtp/
@mailgun, @sivel, @lookaheadio, @alanfuller, @m35dev any idea whats going on?
Following. I’m getting tons of alerts from Wordfence.
I am not a commiter, not related to Mailgun so I can’t help, you I just contributed a small fix once as it is open source software and they rightly acknowledged my contribution.
Personally I not longer use this plugin for different reasons and use one of the alternatives.
When a plugin is closed there can be many reasons, but at this time of year just before 6.6 release any plugin emails that bounce get their plugins closed. Whilst impossible to rule out other reasons such as security, the balance of probabilities is it is the commiter email bouncing. Ironic really.
A lot of this seem to be going on lately (same thing happened to BunnyCDN). I think those other plugins were temporarily suspended in other to be complaint with an upcoming update.
To be clear, when there is a new release plugin authors are emailed. If their email bounces their plugin is temporarily closed.
so yes this happens a lot about 2 weeks before a point release.
Also a concern, and a tremendous amount of noise drowning out the signal as Wordfence emails about every single site this is installed on notifying of the issue, which creates the risk a more serious issue is going to get missed in all the static.
A quick note of acknowledgement would go a long way here.
here is the issue, you can’t and shouldn’t acknowledge publicly.
Why, because if you acknowledge it is not a security issue this time, but next time it is a security issue and so you can’t acknowledge without giving hackers a heads up but deduction then not acknowledgement implies a security issue giving hackers heads up.
WordFence creating noise is a Wordfence issue.
If they are reporting things just because they are closed without a security CVE then they are reporting something that means nothing.
Wordfence reports on closed Plugins as a means to alert of possibly abandoned plugins that can be hijacked by a 3rd party, and used for malicious purposes. This is an extremely useful security feature. Wordfence also reports when a plugin has a known CVE which is another extremely useful function. It would still be nice for the authors to provide some sort of calming communication. I’m hoping it was closed for a missed bounced email, and not something worse.
Not sure closed plugins can be hijacked as the slug is never released.
Reporting on closed plugins 2 weeks before 6.6 is just noise. In other times it is a low priority information that a plugin will no longer be actively supported.
As mentioned, authors can not comment on closure reasons. The plugin repo does not report the reason for security reasons as explained and authors are expected to do the same.
The only calming measure is for the plugin authors to work with the plugins team to get the plugin re opened as soon as they can.
I know that does not help much, but the free plugin directory is managed in that way to be on the best interests of the community that uses the plugin contributions.
Good to know the as the slug is never released. Hopefully that stays the policy!
Any updates? I see that 2.0 was released, but the changelog doesn’t have a listing for the latest version: https://plugins.trac.wordpress.org/browser/mailgun/tags/2.0.0/CHANGELOG.md
Moderator note: It’s best not to speculate on what might be the issue here and allow the author(s) and the plugins team to resolve the security issue. I’m closing this topic.
