Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp · by saadiqbal · wordpress.org ↗ · SVN ↗

Active installs: 300k+
Current version: 3.9.1
Added: 2017-10-15
Last updated: 2026-04-01 (1mo ago)
First seen by beacon: 1mo ago
Total downloads: 19,047,307

Alerts (0)

No open alerts.

Show 3 resolved alerts

Medium code_scan_match Resolved · code_scan_fp_class_genre_encoding 2026-05-05 11:25:38 (17d ago)

Slug post-smtp

Finding count 43

Findings

Pattern	Kind	File	Line	Snippet	Confidence
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,525	$access_key_id = isset( $this->options_array[ PostSMTPSES\PostSmtpAmazonSesTransport::OPTION_ACCESS_KEY_ID ] ) ? base64_decode( $this->options_array[ PostSMTPSES\PostSmtpAmazonSesTransport::OP	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,526	$access_key_secret = isset( $this->options_array[ PostSMTPSES\PostSmtpAmazonSesTransport::OPTION_SECRET_ACCESS_KEY ] ) ? base64_decode( $this->options_array[ PostSMTPSES\PostSmtpAmazonSesTrans	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,572	$app_client_id = isset( $options['office365_app_id'] ) ? base64_decode( $options['office365_app_id'] ) : '';	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,573	$app_client_secret = isset( $options['office365_app_password'] ) ? base64_decode( $options['office365_app_password'] ) : '';	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,804	$client_secret = isset( $this->options_array[ ZohoMailPostSMTP\ZohoMailTransport::OPTION_CLIENT_SECRET ] ) ? base64_decode( $this->options_array[ ZohoMailPostSMTP\ZohoMailTransport::OPTION_CLI	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,943	$sanitized['slack_token'] = base64_decode( isset( $options['slack_token'] ) ? $options['slack_token'] : '' );	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,944	$sanitized['pushover_user'] = base64_decode( isset( $options['pushover_user'] ) ? $options['pushover_user'] : '' );	`medium`
`base64_decode`	`builtin`	`Postman/Wizard/NewWizard.php`	1,945	$sanitized['pushover_token'] = base64_decode( isset( $options['pushover_token'] ) ? $options['pushover_token'] : '' );	`medium`
`base64_decode`	`builtin`	`Postman/Postman-Mail/libs/vendor_prefixed/google/apiclient/src/Client.php`	455	`$payload = \json_decode(\base64_decode($parts[1]), \true);`	`medium`
`hex_string_long`	`builtin`	`Postman/Postman-Mail/Zend-1.12.10/Mime.php`	399	"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8	`medium`
`base64_decode`	`builtin`	`Postman/Postman-Mail/Zend-1.12.10/Mail/Protocol/Smtp/Auth/Crammd5.php`	76	`$challenge = base64_decode($challenge);`	`medium`
`base64_decode`	`builtin`	`Postman/PostmanEmailLogs.php`	212	`$decoded = base64_decode( trim( $part_body ), true );`	`medium`
`base64_decode`	`builtin`	`Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php`	42	`return base64_decode( $this->options [ self::PUSHOVER_USER ] );`	`medium`
`base64_decode`	`builtin`	`Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php`	48	`return base64_decode( $this->options [ self::PUSHOVER_TOKEN ] );`	`medium`
`base64_decode`	`builtin`	`Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php`	54	`return base64_decode( $this->options [ self::SLACK_TOKEN ] );`	`medium`

Resolved sha 1e12571330485faf037da754e7673ce70d81b353

View raw JSON

{
    "slug": "post-smtp",
    "finding_count": 43,
    "findings": [
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1525,
            "snippet": "$access_key_id = isset( $this->options_array[ PostSMTPSES\\PostSmtpAmazonSesTransport::OPTION_ACCESS_KEY_ID ] ) ? base64_decode( $this->options_array[ PostSMTPSES\\PostSmtpAmazonSesTransport::OP",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1526,
            "snippet": "$access_key_secret = isset( $this->options_array[ PostSMTPSES\\PostSmtpAmazonSesTransport::OPTION_SECRET_ACCESS_KEY ] ) ? base64_decode( $this->options_array[ PostSMTPSES\\PostSmtpAmazonSesTrans",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1572,
            "snippet": "$app_client_id = isset( $options['office365_app_id'] ) ? base64_decode( $options['office365_app_id'] ) : '';",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1573,
            "snippet": "$app_client_secret = isset( $options['office365_app_password'] ) ? base64_decode( $options['office365_app_password'] ) : '';",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1804,
            "snippet": "$client_secret = isset( $this->options_array[ ZohoMailPostSMTP\\ZohoMailTransport::OPTION_CLIENT_SECRET ] ) ? base64_decode( $this->options_array[ ZohoMailPostSMTP\\ZohoMailTransport::OPTION_CLI",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1943,
            "snippet": "$sanitized['slack_token'] = base64_decode( isset( $options['slack_token'] ) ? $options['slack_token'] : '' );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1944,
            "snippet": "$sanitized['pushover_user'] = base64_decode( isset( $options['pushover_user'] ) ? $options['pushover_user'] : '' );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Wizard/NewWizard.php",
            "line": 1945,
            "snippet": "$sanitized['pushover_token'] = base64_decode( isset( $options['pushover_token'] ) ? $options['pushover_token'] : '' );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Postman-Mail/libs/vendor_prefixed/google/apiclient/src/Client.php",
            "line": 455,
            "snippet": "$payload = \\json_decode(\\base64_decode($parts[1]), \\true);",
            "confidence": "medium"
        },
        {
            "pattern": "hex_string_long",
            "kind": "builtin",
            "file": "Postman/Postman-Mail/Zend-1.12.10/Mime.php",
            "line": 399,
            "snippet": "\"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0A\\x0B\\x0C\\x0D\\x0E\\x0F\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1A\\x1B\\x1C\\x1D\\x1E\\x1F\\x7F\\x80\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8A\\x8B\\x8C\\x8D\\x8",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Postman-Mail/Zend-1.12.10/Mail/Protocol/Smtp/Auth/Crammd5.php",
            "line": 76,
            "snippet": "$challenge = base64_decode($challenge);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/PostmanEmailLogs.php",
            "line": 212,
            "snippet": "$decoded = base64_decode( trim( $part_body ), true );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php",
            "line": 42,
            "snippet": "return base64_decode( $this->options [ self::PUSHOVER_USER ] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php",
            "line": 48,
            "snippet": "return base64_decode( $this->options [ self::PUSHOVER_TOKEN ] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "Postman/Extensions/Core/Notifications/PostmanNotifyOptions.php",
            "line": 54,
            "snippet": "return base64_decode( $this->options [ self::SLACK_TOKEN ] );",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "1e12571330485faf037da754e7673ce70d81b353"
}

Critical code_pattern Resolved · no_longer_matches 2026-04-24 17:01:47 (28d ago)

Slug	post-smtp
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`3.9.1`
Hit count	3
First hit	File `includes/libs/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php` Line 73 Snippet L73: return unserialize(file_get_contents($file)); → L73: return unserialize(file_get_contents($file));
Explanation	a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak.

View raw JSON

{
    "slug": "post-smtp",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.9.1",
    "hit_count": 3,
    "first_hit": {
        "file": "includes/libs/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php",
        "line": 73,
        "snippet": "L73: return unserialize(file_get_contents($file));  \u2192  L73: return unserialize(file_get_contents($file));"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}

Critical code_scan_delta Resolved · fp_vendored_library_local_cache 2026-04-24 15:53:07 (28d ago)

Slug post-smtp

Previous version 3.9.1

Current version 3.9.1

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`includes/libs/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php`	73	L73: return unserialize(file_get_contents($file)); → L73: return unserialize(file_get_contents($file));	`high`
`unserialize_after_remote_call`	`builtin`	`includes/libs/HTMLPurifier/HTMLPurifier/ConfigSchema.php`	72	L71: $contents = file_get_contents(HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/sc → L72: $r = unserialize($contents);	`high`
`unserialize_after_remote_call`	`builtin`	`includes/libs/HTMLPurifier/HTMLPurifier/EntityLookup.php`	26	L26: $this->table = unserialize(file_get_contents($file)); → L26: $this->table = unserialize(file_get_contents($file));	`high`

New finding count 3

View raw JSON

{
    "slug": "post-smtp",
    "previous_version": "3.9.1",
    "current_version": "3.9.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/libs/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php",
            "line": 73,
            "snippet": "L73: return unserialize(file_get_contents($file));  \u2192  L73: return unserialize(file_get_contents($file));",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/libs/HTMLPurifier/HTMLPurifier/ConfigSchema.php",
            "line": 72,
            "snippet": "L71: $contents = file_get_contents(HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/sc  \u2192  L72: $r = unserialize($contents);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/libs/HTMLPurifier/HTMLPurifier/EntityLookup.php",
            "line": 26,
            "snippet": "L26: $this->table = unserialize(file_get_contents($file));  \u2192  L26: $this->table = unserialize(file_get_contents($file));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 3
}

SVN committers (2)

Accounts with actual commit access to post-smtp on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
WPExperts.io	2016-03-28	200	2022-02-23 · r2683779	2026-04-01 · r3496249
yehudah	2011-11-29	101	2019-01-28 · r2020807	2022-02-13 · r2678027

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
WPExperts.io	2016-03-28	200 commits	Active
Saad Iqbal	2014-12-28	—	Active

Versions (100 most recent)

Version	Released	Download
3.9.1	2026-04-01 · 1mo ago	zip
3.9.0	2026-03-17 · 2mo ago	zip
3.8.0	2026-01-20 · 4mo ago	zip
3.7.0	2025-12-24 · 4mo ago	zip
3.6.3	2025-12-17 · 5mo ago	zip
3.6.2	2025-12-12 · 5mo ago	zip
3.6.1	2025-10-29 · 6mo ago	zip
3.6.0	2025-10-14 · 7mo ago	zip
3.5.0	2025-09-18 · 8mo ago	zip
3.4.2	2025-09-01 · 8mo ago	zip
3.4.1	2025-08-20 · 9mo ago	zip
3.4.0	2025-08-18 · 9mo ago	zip
3.3.0	2025-06-23 · 11mo ago	zip
3.2.0	2025-05-19 · 1y ago	zip
3.1.4	2025-04-14 · 1y ago	zip
3.1.3	2025-03-03 · 1y ago	zip
3.1.2	2025-02-24 · 1y ago	zip
3.1.1	2025-02-11 · 1y ago	zip
3.1.0	2025-02-10 · 1y ago	zip
3.0.2	2025-01-27 · 1y ago	zip
3.0.2-beta.1	2025-01-16 · 1y ago	zip
3.0.1	2025-01-14 · 1y ago	zip
3.0.1-beta.1	2025-01-09 · 1y ago	zip
3.0.0	2025-01-07 · 1y ago	zip
3.0.0-rc.1	2025-01-06 · 1y ago	zip
2.9.14	2024-12-18 · 1y ago	zip
2.9.13	2024-12-10 · 1y ago	zip
2.9.12	2024-12-02 · 1y ago	zip
2.9.11	2024-11-21 · 1y ago	zip
2.9.10	2024-11-19 · 1y ago	zip
2.9.9	2024-10-21 · 1y ago	zip
3.0.0-beta.1	2024-10-16 · 1y ago	zip
2.9.8	2024-08-21 · 1y ago	zip
2.9.7	2024-07-01 · 1y ago	zip
2.9.6	2024-06-27 · 1y ago	zip
2.9.5	2024-06-25 · 1y ago	zip
2.9.4	2024-06-05 · 1y ago	zip
2.9.3	2024-05-22 · 2y ago	zip
2.9.2	2024-05-13 · 2y ago	zip
2.9.1	2024-05-02 · 2y ago	zip
2.9.0	2024-04-16 · 2y ago	zip
2.8.12	2024-03-26 · 2y ago	zip
2.8.11	2024-01-19 · 2y ago	zip
2.8.10	2024-01-18 · 2y ago	zip
2.8.9	2024-01-15 · 2y ago	zip
2.8.8	2024-01-01 · 2y ago	zip
2.8.7	2023-12-20 · 2y ago	zip
2.8.6	2023-12-07 · 2y ago	zip
2.8.5	2023-11-23 · 2y ago	zip
2.8.4	2023-11-20 · 2y ago	zip
2.8.3	2023-11-17 · 2y ago	zip
2.8.2	2023-11-14 · 2y ago	zip
2.8.1	2023-11-13 · 2y ago	zip
2.8.0	2023-11-13 · 2y ago	zip
2.7.3	2023-11-06 · 2y ago	zip
2.8.0-beta.1	2023-11-03 · 2y ago	zip
2.7.2	2023-11-01 · 2y ago	zip
2.7.1	2023-11-01 · 2y ago	zip
2.7.0	2023-10-27 · 2y ago	zip
2.6.2	2023-10-19 · 2y ago	zip
2.6.1	2023-10-03 · 2y ago	zip
2.6.0	2023-09-12 · 2y ago	zip
2.5.9.4	2023-08-29 · 2y ago	zip
2.5.9.3	2023-08-17 · 2y ago	zip
2.5.9.2	2023-08-17 · 2y ago	zip
2.5.9.1	2023-08-08 · 2y ago	zip
2.5.9.1-beta.1	2023-08-03 · 2y ago	zip
2.5.9	2023-07-19 · 2y ago	zip
2.5.9-beta.1	2023-07-17 · 2y ago	zip
2.5.8	2023-07-13 · 2y ago	zip
2.5.8-beta.1	2023-07-07 · 2y ago	zip
2.5.7	2023-07-03 · 2y ago	zip
2.5.6	2023-06-08 · 2y ago	zip
2.5.5	2023-05-31 · 2y ago	zip
2.5.4	2023-05-24 · 2y ago	zip
2.5.3	2023-05-16 · 3y ago	zip
2.5.2	2023-05-12 · 3y ago	zip
2.5.1	2023-05-10 · 3y ago	zip
2.5.0	2023-05-09 · 3y ago	zip
2.5-rc.4	2023-04-27 · 3y ago	zip
2.4.9	2023-04-27 · 3y ago	zip
2.4.8	2023-04-18 · 3y ago	zip
2.5-rc.3	2023-04-10 · 3y ago	zip
2.4.7	2023-04-10 · 3y ago	zip
2.5-rc.2	2023-03-27 · 3y ago	zip
2.4.6	2023-03-27 · 3y ago	zip
2.5-rc.1	2023-03-15 · 3y ago	zip
2.4.5	2023-03-14 · 3y ago	zip
2.5-beta.1	2023-03-09 · 3y ago	zip
2.4.4	2023-03-09 · 3y ago	zip
2.4.4-Beta.2	2023-03-01 · 3y ago	zip
2.4.4-Beta.1	2023-02-28 · 3y ago	zip
2.4.3	2023-02-27 · 3y ago	zip
2.4.2	2023-02-23 · 3y ago	zip
2.4.1	2023-02-23 · 3y ago	zip
2.4.2-beta.2	2023-02-23 · 3y ago	zip
2.4.2-beta.1	2023-02-22 · 3y ago	zip
2.4	2023-02-21 · 3y ago	zip
2.3.2	2023-01-18 · 3y ago	zip
2.4-beta.1	2023-01-18 · 3y ago	zip