This is both a specific alert for the Easy WP SMTP plugin and a general warning.
I have just had a site hacked by someone initiating a password reset, then accessing some information that allowed them to reset the password externally. They then deactivated the firewall but didn’t do much else and I was able to restore a backup this morning.
Details are here: https://www.searchenginejournal.com/easy-wp-smtp-plugin-vulnerability/390109
I use this plugin on almost all my sites and when I checked it out, I found that it has had 2 updates recently, but was still showing as fully up-to-date on all my sites. This is because it had also been changed to “Requires WP 5.0 or higher”.
Apparently if you are using a plugin that was WP4.9 and gets changed to WP5+ then you will not receive any further update notices.
This indicates to me a very serious deficiency in how we are using plugins. Any plugin might be updated to fix some security flaw, but will not show up on our sites as needing an update if it also moved to >WP5. So we will happily be using the old, unsafe version… until we get hacked.