WP-Safety

Customize WordPress Emails and Alerts – Better Notifications for WP Security & Risk Analysis

wordpress.org/plugins/bnfw

Supercharge your WordPress email notifications using a WYSIWYG editor and shortcodes. Default and new notifications available. Add-ons available.

30K active installs v1.9.9.1 PHP 7.4+ WP 4.8+ Updated Sep 8, 2025
alertemailmessagenotificationnotify
99
A · Safe
CVEs total2
Unpatched0
Last CVEMay 18, 2023
Plugin page Download
Safety Verdict

Is Customize WordPress Emails and Alerts – Better Notifications for WP Safe to Use in 2026?

Generally Safe

Score 99/100

Customize WordPress Emails and Alerts – Better Notifications for WP has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: May 18, 2023Updated 8mo ago
Risk Assessment

The plugin "bnfw" v1.9.9.1 demonstrates several positive security practices, including the use of prepared statements for all SQL queries and a robust implementation of nonce and capability checks across its entry points. The absence of unprotected AJAX handlers and REST API routes is commendable, indicating a generally well-secured attack surface. However, the presence of the `unserialize` function is a notable concern, as it can lead to object injection vulnerabilities if not handled with extreme care and strict input validation. While the taint analysis did not reveal critical or high severity issues, one flow with an unsanitized path warrants attention as it represents a potential avenue for exploitation.

The vulnerability history reveals two past medium severity CVEs, specifically related to Cross-Site Request Forgery (CSRF) and Exposure of Sensitive Information. The fact that there are no currently unpatched vulnerabilities is a positive sign, suggesting that the developers are responsive to security issues. However, the recurring nature of these vulnerability types in the past indicates a potential weakness in input sanitization and authorization logic that needs ongoing vigilance. Overall, the plugin has a decent security posture with good foundational practices, but the identified risks, particularly around `unserialize` and past vulnerability patterns, require careful monitoring and potential mitigation.

Key Concerns

  • Dangerous function unserialize detected
  • Flow with unsanitized path in taint analysis
  • Previous medium severity CVEs (2)
Vulnerabilities
2 published

Customize WordPress Emails and Alerts – Better Notifications for WP Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-32964medium · 4.3Cross-Site Request Forgery (CSRF)

Better Notifications for WP <= 1.9.2 - Cross-Site Request Forgery via handle_actions

May 18, 2023 Patched in 1.9.3 (250d)
CVE-2022-0345medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Better Notifications for WP <= 1.8.6 - Email Address Disclosure

Jan 31, 2022 Patched in 1.8.7 (722d)
Version History

Customize WordPress Emails and Alerts – Better Notifications for WP Release Timeline

v1.9.9.1Current
v1.9.9
v1.9.8
v1.9.7
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.21 CVE
CVE-2023-32964
v1.9.11 CVE
CVE-2023-32964
v1.91 CVE
CVE-2023-32964
v1.8.111 CVE
CVE-2023-32964
v1.8.101 CVE
CVE-2023-32964
v1.8.91 CVE
CVE-2023-32964
v1.8.81 CVE
CVE-2023-32964
v1.8.71 CVE
CVE-2023-32964
v1.8.62 CVEs
CVE-2023-32964 CVE-2022-0345
v1.8.52 CVEs
CVE-2023-32964 CVE-2022-0345
v1.8.42 CVEs
CVE-2023-32964 CVE-2022-0345
v1.8.32 CVEs
CVE-2023-32964 CVE-2022-0345
Code Analysis
Analyzed Mar 16, 2026

Customize WordPress Emails and Alerts – Better Notifications for WP Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
3 prepared
Unescaped Output
25
142 escaped
Nonce Checks
4
Capability Checks
6
File Operations
0
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$icons = is_string( $plugin->icons ) ? unserialize( $plugin->iconsincludes\license\class-bnfw-license.php:126

Bundled Libraries

Select2

SQL Query Safety

100% prepared3 total queries

Output Escaping

85% escaped167 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
show_help_notice (includes\admin\class-bnfw-notification.php:1658)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Customize WordPress Emails and Alerts – Better Notifications for WP Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 2

authwp_ajax_bnfw_search_usersincludes\helpers\ajax-helpers.php:68
authwp_ajax_bnfw_search_usersincludes\helpers\class-bnfw-ajax.php:20

Shortcodes 1

[post_term] includes\engine\class-bnfw-engine.php:937
WordPress Hooks 93
actioninitbnfw.php:147
actionadmin_initbnfw.php:148
actionadmin_initbnfw.php:149
actionauto-draft_to_privatebnfw.php:152
actiondraft_to_privatebnfw.php:154
actionfuture_to_privatebnfw.php:155
actionpending_to_privatebnfw.php:156
actionpublish_to_privatebnfw.php:157
actionwp_insert_postbnfw.php:159
actionattachment_updatedbnfw.php:161
actionpublish_to_trashbnfw.php:163
actionauto-draft_to_publishbnfw.php:165
actiondraft_to_publishbnfw.php:166
actionfuture_to_publishbnfw.php:167
actionpending_to_publishbnfw.php:168
actionprivate_to_publishbnfw.php:169
actionpublish_to_publishbnfw.php:171
actionprivate_to_privatebnfw.php:172
actionadd_attachmentbnfw.php:174
actionedit_attachmentbnfw.php:175
actiontransition_post_statusbnfw.php:177
actioninitbnfw.php:179
actioncreate_termbnfw.php:180
actiontransition_comment_statusbnfw.php:182
actioncomment_postbnfw.php:183
actiontrackback_postbnfw.php:184
actionpingback_postbnfw.php:185
actionuser_registerbnfw.php:187
actionuser_registerbnfw.php:189
actionadd_user_rolebnfw.php:193
actionremove_user_rolebnfw.php:194
actionset_user_rolebnfw.php:195
actionprofile_updatebnfw.php:197
actionset_user_rolebnfw.php:199
actionwp_loginbnfw.php:202
filterretrieve_password_titlebnfw.php:205
filterretrieve_password_titlebnfw.php:207
actionlostpassword_postbnfw.php:209
filterretrieve_password_messagebnfw.php:210
actionafter_password_resetbnfw.php:212
filtersend_password_change_emailbnfw.php:214
filterpassword_change_emailbnfw.php:215
filtersend_email_change_emailbnfw.php:217
filteremail_change_emailbnfw.php:218
filternew_user_email_contentbnfw.php:219
filterauto_core_update_emailbnfw.php:221
filteruser_request_action_email_contentbnfw.php:223
filteruser_request_action_email_subjectbnfw.php:224
filteruser_confirmed_action_email_contentbnfw.php:226
filterwp_privacy_personal_data_email_contentbnfw.php:228
filteruser_erasure_complete_email_subjectbnfw.php:230
filteruser_confirmed_action_email_contentbnfw.php:231
filterplugin_action_linksbnfw.php:233
filterwp_mailbnfw.php:234
actionshutdownbnfw.php:235
filterwp_mail_content_typebnfw.php:809
filterwp_mail_content_typebnfw.php:814
filterwp_mail_content_typebnfw.php:985
filterwp_mail_content_typebnfw.php:987
filterwp_mail_content_typebnfw.php:1095
filterwp_mail_content_typebnfw.php:1097
actionadmin_menuincludes\admin\bnfw-settings.php:23
actionadmin_menuincludes\admin\bnfw-settings.php:24
actionadmin_headincludes\admin\bnfw-settings.php:25
actionadmin_initincludes\admin\bnfw-settings.php:208
actioninitincludes\admin\class-bnfw-notification.php:25
actiondo_meta_boxesincludes\admin\class-bnfw-notification.php:26
actionsave_postincludes\admin\class-bnfw-notification.php:28
actionedit_form_topincludes\admin\class-bnfw-notification.php:29
filterpost_updated_messagesincludes\admin\class-bnfw-notification.php:30
filteruse_block_editor_for_post_typeincludes\admin\class-bnfw-notification.php:32
filterbulk_actions-edit-bnfw_notificationincludes\admin\class-bnfw-notification.php:34
filterhandle_bulk_actions-edit-bnfw_notificationincludes\admin\class-bnfw-notification.php:35
filterpost_row_actionsincludes\admin\class-bnfw-notification.php:38
actionadmin_initincludes\admin\class-bnfw-notification.php:39
actionadmin_enqueue_scriptsincludes\admin\class-bnfw-notification.php:46
actionadmin_noticesincludes\admin\class-bnfw-notification.php:48
actionadmin_print_scriptsincludes\admin\class-bnfw-notification.php:50
filterremovable_query_argsincludes\admin\class-bnfw-notification.php:51
filterredirect_post_locationincludes\admin\class-bnfw-notification.php:857
actionadmin_menuincludes\admin\class-bnfw-settings.php:20
actionadmin_menuincludes\admin\class-bnfw-settings.php:21
actionadmin_headincludes\admin\class-bnfw-settings.php:22
actionadmin_initincludes\admin\class-bnfw-settings.php:23
filterwp_mail_content_typeincludes\engine\class-bnfw-engine.php:1726
filterwp_mail_content_typeincludes\engine\class-bnfw-engine.php:1731
actionadmin_menuincludes\license\class-bnfw-license-setting.php:20
actionadmin_initincludes\license\class-bnfw-license-setting.php:21
filterbnfw_settings_licensesincludes\license\class-bnfw-license.php:93
actionadmin_initincludes\license\class-bnfw-license.php:96
actionadmin_initincludes\license\class-bnfw-license.php:99
filterpre_set_site_transient_update_pluginsincludes\license\class-bnfw-license.php:101
filterbnfw_post_notificationsincludes\notification\post-notification.php:36
Maintenance & Trust

Customize WordPress Emails and Alerts – Better Notifications for WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 8, 2025
PHP min version7.4
Downloads1.0M

Community Trust

Rating96/100
Number of ratings184
Active installs30K
Alternatives

Customize WordPress Emails and Alerts – Better Notifications for WP Alternatives

Notification – Custom Notifications and Alerts for WordPress

Notification – Custom Notifications and Alerts for WordPress

notification

A
100

Take full control of WordPress emails and notifications. Replace default messages, add custom triggers, and send alerts via email, webhook, Slack, and &hellip;

10K 1 CVE
Get Notified

Get Notified

get-notified

A
85

Get Notified is a simple to use notification plugin that notifies you of certain WordPress events.

10 No CVEs
Email Notification on Login

Email Notification on Login

email-notification-on-login

B
79

Receive an email after each successful login with the user information

1K 1 unpatched
Simple Login Notification

Simple Login Notification

simple-login-notification

A
100

Sends a notification email when admins and other users log in to your site.

1K No CVEs
Post Status Notifier Lite

Post Status Notifier Lite

post-status-notifier-lite

A
90

Notify on every post change: Flexible rules, custom placeholders and support for all post types and taxonomies.

800 3 CVEs
Developer Profile

Customize WordPress Emails and Alerts – Better Notifications for WP Developer Profile

Jack - BNFW

2 plugins · 30K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
486 days
View full developer profile
Detection Fingerprints

How We Detect Customize WordPress Emails and Alerts – Better Notifications for WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bnfw/assets/css/admin-styles.css/wp-content/plugins/bnfw/assets/css/common.css/wp-content/plugins/bnfw/assets/js/admin-script.js/wp-content/plugins/bnfw/assets/js/editor-script.js/wp-content/plugins/bnfw/assets/js/select2/select2.min.js/wp-content/plugins/bnfw/assets/js/select2/select2.css/wp-content/plugins/bnfw/assets/js/tinymce/tinymce.min.js/wp-content/plugins/bnfw/assets/js/tinymce/themes/modern/theme.min.js+46 more
Script Paths
/wp-content/plugins/bnfw/assets/js/admin-script.js/wp-content/plugins/bnfw/assets/js/editor-script.js/wp-content/plugins/bnfw/assets/js/select2/select2.min.js/wp-content/plugins/bnfw/assets/js/tinymce/tinymce.min.js/wp-content/plugins/bnfw/assets/js/tinymce/themes/modern/theme.min.js/wp-content/plugins/bnfw/assets/js/tinymce/plugins/textcolor/plugin.min.js+45 more

HTML / DOM Fingerprints

CSS Classes
bnfw-notification-meta
JS Globals
bnfw_admin_scripttinymce
FAQ

Frequently Asked Questions about Customize WordPress Emails and Alerts – Better Notifications for WP