Ok, so this post has little to do with Awesome Support itself; instead its mostly commentary on the WordPress plugin ecosystem based on recent experience.  A couple of days ago it was announced that a popular free SMTP plugin, POSTMAN, had an XSS security vulnerability.

The security researchers that discovered the issue attempted to contact the author back in June but got no response.  Subsequently the vulnerability was made public and WordPress.org pulled the plugin from their repository.

However, this meant that anyone using the plugin (estimated at about 100,000 users) was exposed to this known vulnerability for at least 2 extra months.

So far the author of the plugin has not offered a fix and, given that the last update was about 2 years ago, it is doubtful that one will be made available soon.

This plugin is 100% free with no monetization options.  In other words, the author does not have a financial interest in the plugin and, instead, works on it in his spare time.  Had there been a premium version of this plugin available or some other way that the plugin was monetized, we have no doubt that a fix would have been available shortly after the issue was discovered.  But, since its 100% free with no upside, the author has no real incentive to provide a fix if there are other projects or a job that takes precedence.

A Near Miss

We have used and recommended this plugin numerous times over the years.  This near-miss for us has caused us to re-evaluate what we use and recommend to our customers.  Had we not have multiple-layers of firewalls in place, this could have been a business reputation catastrophe if someone had exploited it on our site.  So, going forward, we are only going to recommend and use plugins where it is clear to us what the upside is for the author.  This means that many good plugins will soon be taken off our recommendation list and replaced with freemium ones (even if they are slightly inferior).

The logic here is simple - if a plugin is being successfully monetized, there is a much lower chance of it suddenly being abandoned.  All it takes is one abandoned plugin with an unpatched vulnerability and the cost of free becomes way too high!