boardboss

Can we get an answer about the 24-hour trigger question from your dev team? Do admins have any control over setting the time, is it triggered based on server time (and at what time?), or anything else useful to admins. Thank you.

Thank you for the update. Do you know at what time the ‘updated once every 24 hours’ process is triggered? Is it based on some setting in your plugin, server time, or something else?

It is now 11:14 UTC, and I just checked the situation on a site where the notification is being displayed. I have taken no action to sync with the cloud, nor any other manual intervention, and the notification is still present. Based on your previous reply, I expected it should have been removed automatically. Or did I misunderstand something?

I simultaneously raised a ticket with the Post SMTP folks, which is included below, and the response I received from them, included further down:

Ticket text: I received a warning from my security plugin, Security by CleanTalk about the Post SMTP plugin being vulnerable under CVE-2024-13362. However, I cannot immediately confirm that your plugin is affected by this vulnerability. Apparently, CVE-2024-13362 refers to use of Freemius and many, many plugins are therefore affected. Can you confirm whether your plugins are or are not affected, and if affected, what course of action admins should take? Should we disable or uninstall your plugin and find a different solution?

Their response: Thank you for bringing this up.

I’m happy to confirm that this issue has already been addressed and the fix was released in Post SMTP v3.9.1.

The vulnerability report you’re referring to was related to a dependency/shared component, and the necessary remediation has already been applied in the latest release. Wordfence has also acknowledged the patched version accordingly. Here is the link to WordFence report confirming the fix: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/post-smtp

Please update Post SMTP to v3.9.1. (note added by me: all sites flagged by CleanTalk Security already have Post SMTP updated to version 3.9.1)

There is no need to disable or uninstall the plugin as long as you are running the updated version.

If you have any other concerns or would like us to review your setup, feel free to reach out anytime.

My conclusion: It appears CleanTalk Security incorrectly raised an alert in this situation. The warning notice generated by your plugin appears in the plugin list immediately below the Post SMTP plugin. In the warning emails sent from CleanTalk about this issue, the Post SMTP plugin was specifically mentioned. Again, I believe this is inaccurate.

I guess you assumed everything was okay since you marked the ticket as resolved and did not reply further; however, the problem I reported still existed.

Since I did not hear back from you, I installed your plugin on a different WordPress site running on a different server. The exact same thing happened on that site/server.

I just now noticed that there was an update available for Query Monitor while I was on the second site, so I updated it. Immediately afterward, the problem I described stopped happening.

I then headed over to the site where I originally found the problem and updated Query Monitor. The reported problem no longer exists.

I cannot say with 100% certainty that the update for Query Monitor actually fixed the issue, I only know what happened on the two different sites/servers I tested, and in the case of the first site/server, the 502 error problem has been happening for several days. After the update, the problem stopped.

I agree that this is a strange way for a 502 error to present itself, yet present itself it did. In any case, I am happy the plugin was updated (thanks for that) and I *NOW* consider this problem resolved. I hope the resolution is permanent.

Thank you for your reply. Traffic should not be an issue on the site in question, as it gets visited around the clock. I installed the Cron Logger plugin, although it has not been updated in 9 months and is untested with the current version of WordPress. It shows two updates pending, which happen to reflect the currently-installed version and the available version update to be the same, and is scheduled for approximately 12 hours from now, so I will see what happens in the morning.

Again, thank you for the tip about cron logging.

Thank you for your reply. It makes sense that you would follow the way WooCommerce handles single variations. I doubt Automattic is going to do anything about this, as clean and lean code does not seem to be their priority.