Hi Peter,
Could you provide a URL to the report? We get an email for all patchstack reports and have not received anything recently. The last report for this plugin that we received was in May and we patched that one (https://patchstack.com/database/wordpress/plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-1-3-5-broken-access-control-vulnerability).
We found the report that I believe you were likely referring to and just released an update (version 1.3.9) with the patch. We’ve also notified Patchstack, who should hopefully have it marked as fixed shortly.
Thread Starter
Peter
(@hardpeter4u)
Ok, thanks. We’ll look into this and release an update ASAP if necessary.
We’ve just released an update that eliminates the vulnerability when click tracking is disabled. We are also working on a more robust solution that would still allow exterior redirects from whitelisted sites. In the meantime, you can disable click tracking to prevent the vulnerability.
