WP-Safety

Arigato Autoresponder and Newsletter Security & Risk Analysis

wordpress.org/plugins/bft-autoresponder

This plugin allows scheduling of automated autoresponder messages / drip marketing messages, instant newsletters, and managing a mailing list.

600 active installs v2.7.2.7 PHP 8.0+ WP 5.0+ Updated Aug 14, 2025
auto-responderautorespondercontact-formmailing-listnewsletter
58
C · Use Caution
CVEs total18
Unpatched1
Last CVEApr 17, 2025
Plugin page Download
Safety Verdict

Is Arigato Autoresponder and Newsletter Safe to Use in 2026?

Use With Caution

Score 58/100

Arigato Autoresponder and Newsletter has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

18 known CVEs 1 unpatched Last CVE: Apr 17, 2025Updated 7mo ago
Risk Assessment

The bft-autoresponder plugin exhibits a mixed security posture. While it demonstrates good practices in utilizing prepared statements for the vast majority of its SQL queries and includes a decent number of nonce and capability checks, several concerning signals emerge from the static analysis and vulnerability history. The presence of the `unserialize` function is a significant red flag, as it is a known vector for object injection vulnerabilities if not handled with extreme care and input validation. Furthermore, the taint analysis reveals several flows with unsanitized paths, including three identified as high severity. This, combined with the plugin's history of 18 known CVEs, including one critical unpatched vulnerability, points to a recurring pattern of security weaknesses that attackers have successfully exploited in the past. The types of common vulnerabilities (CSRF, XSS, Unrestricted Uploads, SQL Injection) further reinforce the need for heightened vigilance.

Key Concerns

  • Unpatched critical vulnerability
  • High severity taint flows detected
  • Dangerous unserialize function present
  • Unsanitized paths in taint analysis
  • Output escaping only 57% proper
  • Large number of past CVEs
Vulnerabilities
18

Arigato Autoresponder and Newsletter Security Vulnerabilities

CVEs by Year

11 CVEs in 2018 · unpatched
2018
5 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
15

18 total CVEs

CVE-2025-39594medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.7.2.4 - Reflected Cross-Site Scripting

Apr 17, 2025 Patched in 2.7.2.5 (5d)
CVE-2024-34823medium · 4.3Cross-Site Request Forgery (CSRF)

Arigato Autoresponder and Newsletter <= 2.7.2.3 - Cross-Site Request Forgery

May 9, 2024 Patched in 2.7.2.4 (7d)
CVE-2023-47686medium · 4.3Cross-Site Request Forgery (CSRF)

Arigato Autoresponder and Newsletter <= 2.7.2.2 - Cross-Site Request Forgery

Nov 9, 2023 Patched in 2.7.2.3 (75d)
CVE-2023-25020high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting

Feb 6, 2023 Patched in 2.7.1.1 (351d)
CVE-2023-25031medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 6, 2023 Patched in 2.7.1.1 (351d)
CVE-2023-25061medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 2, 2023 Patched in 2.7.1.1 (355d)
CVE-2023-0543medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.1.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 31, 2023 Patched in 2.1.7.2 (357d)
CVE-2018-18461critical · 9.8Unrestricted Upload of File with Dangerous Type

Arigato Autoresponder and Newsletter <= 2.7 - Arbitrary File Upload

Oct 17, 2018Unpatched
CVE-2018-1002007medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002009medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002002medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002004medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002003medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002000high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - SQL Injection

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002006medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002008medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002001medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
CVE-2018-1002005medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Cross-Site Scripting

Sep 18, 2018 Patched in 2.5.1.9 (1953d)
Code Analysis
Analyzed Mar 16, 2026

Arigato Autoresponder and Newsletter Code Analysis

Dangerous Functions
3
Raw SQL Queries
8
149 prepared
Unescaped Output
126
165 escaped
Nonce Checks
26
Capability Checks
4
File Operations
9
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$payload_config = unserialize(stripslashes($hook->payload_config));controllers\webhooks.php:34
unserialize$config = unserialize(stripslashes($hook->payload_config));controllers\webhooks.php:73
unserialize$config = unserialize(stripslashes($hook->payload_config));controllers\webhooks.php:144

SQL Query Safety

95% prepared157 total queries

Output Escaping

57% escaped291 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

25 flows5 with unsanitized paths
bft_subscribe (bft-lib.php:201)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Arigato Autoresponder and Newsletter Attack Surface

Entry Points5
Unprotected0

Shortcodes 5

[bft-int-chk] bft-autoresponder.php:80
[bft-num-subs] bft-autoresponder.php:96
[bft-unsubscribe] bft-autoresponder.php:97
[bft-newsletter-archive] bft-autoresponder.php:98
[BFTWP] bft-autoresponder.php:836
WordPress Hooks 19
actionadmin_enqueue_scriptsbft-autoresponder.php:73
actionadmin_enqueue_scriptsbft-autoresponder.php:74
actionwp_enqueue_scriptsbft-autoresponder.php:75
filterwpcf7_form_elementsbft-autoresponder.php:78
actionwpcf7_before_send_mailbft-autoresponder.php:79
actiongrunion_pre_message_sentbft-autoresponder.php:84
actionninja_forms_save_subbft-autoresponder.php:87
actionfrm_after_create_entrybft-autoresponder.php:90
actionwpforms_process_completebft-autoresponder.php:93
filterwp_privacy_personal_data_erasersbft-autoresponder.php:101
actionarigato_subscribedbft-autoresponder.php:104
actionarigato_confirmedbft-autoresponder.php:105
actionarigato_unsubscribedbft-autoresponder.php:106
filterthe_contentbft-autoresponder.php:616
actioninitbft-autoresponder.php:833
actionadmin_menubft-autoresponder.php:834
actiontemplate_redirectbft-autoresponder.php:835
actionwp_loginbft-autoresponder.php:837
actionbft_hook_upbft-autoresponder.php:838

Scheduled Events 1

bft_hook_up
Maintenance & Trust

Arigato Autoresponder and Newsletter Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 14, 2025
PHP min version8.0
Downloads118K

Community Trust

Rating94/100
Number of ratings34
Active installs600
Alternatives

Arigato Autoresponder and Newsletter Alternatives

Connect Contact Form 7 and AWeber

Connect Contact Form 7 and AWeber

integrate-contact-form-7-and-aweber

A
98

Integrate AWeber mailing lists with Contact Form 7. Automatically add form subscribers to your AWeber lists.

300 2 CVEs
Integrate Contact Form 7 and iContact

Integrate Contact Form 7 and iContact

cf7-icontact-extension

A
100

Connect Contact Form 7 to iContact. Automatically add form submissions to your iContact mailing lists.

40 No CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Lead Form Builder & Contact Form

Lead Form Builder & Contact Form

lead-form-builder

A
88

Fast Drag & Drop Contact From Builder and Lead Generation Tool With Google One Tap Login. Supports Block Editor.

10K 11 CVEs
Drip for WordPress

Drip for WordPress

email-marketing

A
85

Do you sell online? If so you need our new Drip for WooCommerce Plugin instead of this one. It includes your entire product catalog, order history int &hellip;

2K No CVEs
Developer Profile

Arigato Autoresponder and Newsletter Developer Profile

Bob

9 plugins · 5K total installs

66
trust score
Avg Security Score
81/100
Avg Patch Time
725 days
View full developer profile
Detection Fingerprints

How We Detect Arigato Autoresponder and Newsletter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bft-autoresponder/front.css/wp-content/plugins/bft-autoresponder/css/admin.css
Version Parameters
bft-autoresponder/front.css?ver=bft-autoresponder/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
bft-autoresponder
Shortcode Output
[bft-num-subs][bft-unsubscribe][bft-newsletter-archive][bft-int-chk]
FAQ

Frequently Asked Questions about Arigato Autoresponder and Newsletter