Plugin vulnerability coverage is only provided for customers on the COVERAGE plan. For a comprehensive list of our patching services in each of the plans, please refer to Which applications does Patchman scan and fix?

For non-plugin vulnerabilities, please see the companion page Why is vulnerability X not fixed by Patchman?

Aside from the plugins we provide full patching support for, we also monitor newly discovered vulnerabilities in plugins we don’t yet cover. If a new vulnerability is discovered in one of those plugins, we make a careful assessment of the impact it will have for our customers. When we deem the risk to be substantial, and the fix to be feasible, we will add coverage for that specific vulnerability to our coverage.

Note that adding such a one-time patch to our coverage does not mean that we will continue to provide patches for all future vulnerabilities in that plugin. Unfortunately, it is infeasible for us to provide full continuous support for all the plugins out there, so we are forced to select those vulnerabilities for which patching will provide you with significant security benefits.

Sometimes, we take a plugin vulnerability in consideration, but we are unable to provide patches for it for technical reasons. On this page, we provide you all the information for those plugins we have considered but not been able to add to our coverage.

WordPress plugin: Easy WP SMTP

Vulnerability details
The plugin creates a debug log in the installation folder when SMTP settings are configured and the debug log feature is enabled in the plugin. All emails sent by the site are recorded in the log from that moment onwards. Hackers could initiate an admin password reset and grab the reset link from the debug log - which is unintentionally publicly accessible for servers that have directory listing enabled.

Affected versions
Easy WP SMTP <= 1.4.3

Fix complications
An important part of the security fix is that the log file must be stored in the newly created "/logs" folder, which is protected against file listing by an .htaccess file containing Deny from all and an empty index.html.

Our product can only modify files and can't create folders and files. We are thus unable to create this folder and its default files to offer the required protections. By that limitation, we are unable to provide a fix through Patchman.

Note: We are aware of other security updates - related to this vulnerability - that have been made in various other versions (1.4.3 and 1.4.5). Security fixes coming from these versions are based on the core changes described here above and/or require a new file being added. Therefore, we can't backport those changes either.

Mitigating factors
This only affects websites that have directory listings enabled by default. Most hosting environments disable this behavior by default because it can cause various security risks such as this; as a result, many websites will not expose the log file to the public internet.

WordPress plugin: WPBakery

Vulnerability details
This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts.

Affected versions
WPBakery <= 6.4

Fix complications
There is no available archive of previous versions, which means we would be unable to backport the fix to older versions. Since this is considered an essential part of the security service our product provides, we feel that being unable to provide patches for older versions means we are unable to provide decent security for this plugin.

Mitigating factors
This is a premium plugin, meaning its users pay to have access to the plugin. We believe that in general, when people are paying for the service of updates from the maintainer, they are more inclined to use it. This, combined with the relatively small install base, means that we consider the attack surface to be limited.

WordPress plugin: File Manager

Vulnerability details
Improper image validation allows uploading malicious scripts as payload in image uploads. This provides attackers with a means to execute those scripts on target websites.

Affected versions
WordPress File Manager 6.0 - 6.8

Fix complications
The vulnerability is in a library file which is also used outside this plugin. If we would patch this vulnerability, we would also affect projects. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A