Postmarkapp Email Integrator Plugin Security Audit: Code Injection, XSS, and API Key Exposure

Key Information Plugin Name: Postmarkapp Email Integrator Description: Overwrites wp_mail to send emails through Postmark. This plugin is a bug-fixed edition of the official Postmarkapp plugin. Author: Gagan Deep Singh Version: 2.4 Security Considerations 1. Code Injection Risk: - The direct use of in multiple places can lead to code injection if not properly sanitized. - Example: 2. Lack of Input Validation: - There is no visible input validation or sanitization for user inputs such as , , etc. - This may result in potential injection attacks. 3. Cross-Site Scripting (XSS): - The use of statements without sanitization can lead to XSS vulnerabilities. - Example: 4. Weak Error Handling: - Error handling is minimal and may not provide sufficient information for debugging issues. - Example: 5. Deprecated Functions: - The use of can introduce unexpected variables into the global scope, potentially causing conflicts or security issues. - Example: 6. API Key Management: - The API key is stored in plain text and can be accessed by anyone with access to the backend. - Example: 7. HTTP Requests: - The HTTP request timeout is set to 60 seconds, which may be excessive and could lead to performance degradation or Denial of Service (DoS) attacks. - Example:

Goal Reached Thanks to every supporter — we hit 100%!

Postmarkapp Email Integrator Plugin Security Audit: Code Injection, XSS, and API Key Exposure