WP-Safety

Benchmark Email Lite Security & Risk Analysis

wordpress.org/plugins/benchmark-email-lite

Your Wordpress Site and Email Marketing all in one place!

1K active installs v4.3.1 PHP 7.4+ WP 4.9+ Updated Nov 29, 2025
campaignemail-marketingmailing-listnewslettersign-up
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 8, 2024
Plugin page Download
Safety Verdict

Is Benchmark Email Lite Safe to Use in 2026?

Generally Safe

Score 99/100

Benchmark Email Lite has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 8, 2024Updated 4mo ago
Risk Assessment

The "benchmark-email-lite" v4.3.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL query security, exclusively using prepared statements and having no identified critical or high severity vulnerabilities in its static analysis. The absence of dangerous functions, file operations, and bundled libraries further contributes to a generally robust foundation. However, there are notable areas of concern. The presence of a REST API route without permission callbacks creates a potential attack vector that is not adequately protected. While the taint analysis did not reveal any critical or high severity flows, the unprotected REST API endpoint represents an immediate risk of unauthorized access or manipulation if not properly secured by the user or through future plugin updates. The vulnerability history, while currently showing no unpatched issues, includes a past medium severity vulnerability (CSRF), suggesting that the plugin has had exploitable weaknesses in the past. This, coupled with the unprotected REST API endpoint, indicates a need for continued vigilance and prompt updates.

Key Concerns

  • REST API route without permission callbacks
  • Medium severity vulnerability in history
  • Untrusted output (70% escaped)
Vulnerabilities
1

Benchmark Email Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-31360medium · 4.3Cross-Site Request Forgery (CSRF)

Benchmark Email Lite <= 4.1 - Cross-Site Request Forgery via page_settings()

Apr 8, 2024 Patched in 4.2 (9d)
Code Analysis
Analyzed Mar 16, 2026

Benchmark Email Lite Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
11
26 escaped
Nonce Checks
2
Capability Checks
2
File Operations
0
External Requests
3
Bundled Libraries
0

Output Escaping

70% escaped37 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
page_settings (class.settings.php:10)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Benchmark Email Lite Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

GET/wp-json/wpbme/v1/signupformsclass.block.php:29

Shortcodes 1

[benchmark-email-lite] class.frontend.php:44
WordPress Hooks 16
filterplugin_action_links_benchmark-email-lite/benchmark-email-lite.phpclass.admin.php:7
filterpost_row_actionsclass.admin.php:21
filterbulk_actions-edit-postclass.admin.php:31
filterhandle_bulk_actions-edit-postclass.admin.php:36
actionadmin_noticesclass.admin.php:48
actionadmin_menuclass.admin.php:65
actioninitclass.block.php:5
actionrest_api_initclass.block.php:27
actioninitclass.cron.php:9
actionwpbme_token_renewclass.cron.php:17
actionplugins_loadedclass.frontend.php:7
actionwp_footerclass.frontend.php:12
actionadmin_noticesclass.sister.php:7
actionin_plugin_update_message-benchmark-email-lite/benchmark-email-lite.phpclass.upgrade.php:7
actioninitclass.upgrade.php:14
actionwidgets_initclass.widget.php:7

Scheduled Events 1

wpbme_token_renew
Maintenance & Trust

Benchmark Email Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 29, 2025
PHP min version7.4
Downloads132K

Community Trust

Rating80/100
Number of ratings3
Active installs1K
Alternatives

Benchmark Email Lite Alternatives

Drip for WordPress

Drip for WordPress

email-marketing

A
85

Do you sell online? If so you need our new Drip for WooCommerce Plugin instead of this one. It includes your entire product catalog, order history int &hellip;

2K No CVEs
Campaign Monitor for WordPress

Campaign Monitor for WordPress

forms-for-campaign-monitor

B
74

Make it easy for customers to subscribe to your Campaign Monitor mailing lists using any of the 5 elegant sign-up forms.

2K 1 unpatched
Mailster Gravity Forms

Mailster Gravity Forms

mailster-gravity-forms

A
92

Integrates Mailster Newsletter Plugin with Gravity Forms to subscribe users with a Gravity Form.

900 No CVEs
Get a Newsletter

Get a Newsletter

getanewsletter

A
100

Turn visitors into subscribers. Eliminate manual entry of subscribers with signup forms that sync directly with your Get a Newsletter account.

400 No CVEs
Connect Contact Form 7 and AWeber

Connect Contact Form 7 and AWeber

integrate-contact-form-7-and-aweber

A
98

Integrate AWeber mailing lists with Contact Form 7. Automatically add form subscribers to your AWeber lists.

300 2 CVEs
Developer Profile

Benchmark Email Lite Developer Profile

beAutomated

1 plugin · 1K total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect Benchmark Email Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/benchmark-email-lite/css/admin.css/wp-content/plugins/benchmark-email-lite/js/admin.js/wp-content/plugins/benchmark-email-lite/js/frontend.js
Script Paths
https://prod.benchmarkemail.com/tracker.bundle.js
Version Parameters
benchmark-email-lite/css/admin.css?ver=benchmark-email-lite/js/admin.js?ver=benchmark-email-lite/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
benchmark-email-signup
JS Globals
window.apScriptInserted_paq
REST Endpoints
/wp-json/wpbme/v1/signupforms
Shortcode Output
<div class="benchmark-email-signup">
FAQ

Frequently Asked Questions about Benchmark Email Lite