WP Mailster v1.8.18

  • [Bug Fix] Fix Cross-Site Scripting (XSS) vulnerabilities
  • [Bug Fix] Fix Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-11782)
  • [Bug Fix] Fix Sensitive Data Exposure vulnerability (attacks require user role of Subscriber or higher)
  • [Bug Fix] Fix PHP warnings

WP Mailster v1.8.17

  • [Bug Fix] Fix for when certain email character set conversion lead to an empty email body
  • [Bug Fix] Fix SQL Injection vulnerabilities (attacks require user role of Contributor or higher)
  • [Bug Fix] Fix Cross-Site Scripting (XSS) vulnerabilities (attacks require user role of Contributor or higher)
  • [Bug Fix] Fix Sensitive Data Exposure vulnerability (vulnerability exists only when CSV exports have been done)
  • [Bug Fix] Fix Sensitive Data Exposure vulnerability (attacks require user role of Subscriber or higher)
  • [Bug Fix] Fix Settings change vulnerabilities
  • [Bug Fix] Fix Arbitrary Content Deletion vulnerabilities

WP Mailster v1.8.14

  • [Improvement] Automatically shorten (too) long subjects, current max length: 191 characters
  • [Bug Fix] Fix email character display/modification issues with Baltic encoding
  • [Bug Fix] Fix backend email archive view (and other admin list views) for Safari
  • [Bug Fix] Fix some rare cases where email was not saved to the database
  • [Bug Fix] Fix multiple PHP warnings

WP Mailster v1.8.11

  • [Improvement] CSV import also supports file with only emails (no name column)
  • [Improvement] Do not create Microsoft and Google default connections because of missing OAUTH2 support
  • [Bug Fix] Avoid error “Prohibited input U+00000081” and update idna-convert library
  • [Bug Fix] Fix issue where special characters in subject break user interface (list of archived emails, list of queued emails)
  • [Bug Fix] Bounce emails containing email addresses in angle brackets are showing the addresses in the email archive email details view

The issue with Microsoft 365 and Google Mail

Summary: WP Mailster is currently not able to connect to Microsoft 365 (Office 365 / Outlook Online) and Google Mail (GMail / Google Workplace / GSuite) email servers since the companies are no longer supporting password-based email authentication for email applications.

Background

Google and Microsoft announced in 2021 and 2022 that they would stop supporting password-based authentication and require applications to switch to the OAuth 2.0 authentication standard.

Microsoft: Deprecation of Basic authentication in Exchange Online

Google: Transition from less secure apps to OAuth

Why WP Mailster does not support OAuth (yet)

WP Mailster, like hundreds of other PHP email solutions, uses the standard PHP IMAP library (https://www.php.net/manual/en/book.imap.php) in order to connect to email inboxes.

As of today, the standard library does not support OAuth.

Unfortunately, there is no sign that the PHP team is working on this. They identified the missing OAuth support as a problem back in 2019/2020 and put up this page: https://wiki.php.net/todo/ext/imap/xoauth2 and opened a tracker item (https://bugs.php.net/bug.php?id=64039) with almost no activity.

Due to this unfortunate situation, alternative libraries have been proposed. However, they either are completely different from the PHP IMAP library, or the libraries are very new (only months old, i.e. not battle-tested with a lot of different email servers).

That means, if WP Mailster has to switch to an alternative PHP IMAP library, it would go from a piece of software that was nurtured for over 10 years, with many learnings along the way, to something sparsely tested.

Hence, we are currently investigating the best course of action.

While it is currently not working: we intend to support OAuth 2.0 in the future.

Add to cart