Does Comment Mail have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Comment Mail compatible with WordPress 5.2.24?

According to WordPress.org data, Comment Mail 161213 has been tested up to WordPress 5.2.24. Check the plugin's changelog for the latest compatibility information.

How often is Comment Mail updated?

Comment Mail was last updated on May 20, 2019. Frequent updates are generally a positive security signal.

What is Comment Mail's security score?

Comment Mail has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Comment Mail Security & Risk Analysis

wordpress.org/plugins/comment-mail

License: GPLv3 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html Author: WP Sharks Author URI: http://comment-mail.

100 active installs v161213 PHP + WP 4.4+ Updated May 20, 2019

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Comment Mail Safe to Use in 2026?

Generally Safe

Score 85/100

Comment Mail has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The 'comment-mail' plugin v161213 exhibits a generally good security posture with a robust implementation of prepared statements for SQL queries and a high percentage of properly escaped output. The absence of known CVEs and a clean vulnerability history further contribute to its positive security profile. However, the presence of two dangerous functions, `unserialize` and `create_function`, presents a significant concern. These functions, if mishandled or exposed to untrusted input, can lead to serious security vulnerabilities like remote code execution. While the static analysis did not reveal any critical or high-severity taint flows, the potential for exploitation with these functions cannot be ignored. The plugin's attack surface appears minimal, with no exposed AJAX handlers, REST API routes, or shortcodes without authentication checks, which is a strong mitigating factor.

Key Concerns

Use of unserialize()
Use of create_function()
5 unsanitized path flows in taint analysis
31% output not properly escaped

Vulnerabilities

None known

Comment Mail Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Comment Mail Release Timeline

v161213Current

v161129

v161118

v160824

v160818

v160618

v160213

v151224

v150709

Code Analysis

Analyzed Mar 16, 2026

Comment Mail Code Analysis

Dangerous Functions

Raw SQL Queries

80 prepared

Unescaped Output

327

745 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$_value = unserialize($_value);src\includes\classes\UtilsArray.php:60

create_function$path = preg_replace_callback($drive_letter_regex, create_function('$m', 'return strtoupper($m[0]);'src\includes\classes\UtilsFs.php:106

SQL Query Safety

99% prepared81 total queries

Output Escaping

69% escaped1072 total outputs

Data Flows · Security

5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths

maybeRedirect (src\includes\classes\CommentShortlinkRedirect.php:36)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Comment Mail Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 40

actionadmin_initsrc\includes\classes\Conflicts.php:51

actionall_admin_noticessrc\includes\classes\Conflicts.php:81

actionlogin_footersrc\includes\classes\FrontScripts.php:56

actionwp_footersrc\includes\classes\FrontScripts.php:86

actionwp_footersrc\includes\classes\FrontScripts.php:119

actionafter_setup_themesrc\includes\classes\Plugin.php:186

actioninitsrc\includes\classes\Plugin.php:783

actioninitsrc\includes\classes\Plugin.php:784

actioninitsrc\includes\classes\Plugin.php:785

actionadmin_initsrc\includes\classes\Plugin.php:787

actionadmin_initsrc\includes\classes\Plugin.php:788

actionall_admin_noticessrc\includes\classes\Plugin.php:794

actionadmin_enqueue_scriptssrc\includes\classes\Plugin.php:796

actionadmin_enqueue_scriptssrc\includes\classes\Plugin.php:797

actionadmin_menusrc\includes\classes\Plugin.php:799

filterset-screen-optionsrc\includes\classes\Plugin.php:800

filtermanage_users_columnssrc\includes\classes\Plugin.php:803

filtermanage_users_custom_columnsrc\includes\classes\Plugin.php:804

actioninitsrc\includes\classes\Plugin.php:806

actionwp_print_scriptssrc\includes\classes\Plugin.php:808

actionlogin_formsrc\includes\classes\Plugin.php:810

actionlogin_footersrc\includes\classes\Plugin.php:811

actiontransition_post_statussrc\includes\classes\Plugin.php:813

actionbefore_delete_postsrc\includes\classes\Plugin.php:814

actioncomment_form_must_log_in_aftersrc\includes\classes\Plugin.php:816

actioncomment_form_topsrc\includes\classes\Plugin.php:817

filtercomment_form_submit_fieldsrc\includes\classes\Plugin.php:820

actioncomment_formsrc\includes\classes\Plugin.php:821

actioncomment_postsrc\includes\classes\Plugin.php:823

actiontransition_comment_statussrc\includes\classes\Plugin.php:824

filterpre_option_comment_registrationsrc\includes\classes\Plugin.php:826

filterpre_comment_approvedsrc\includes\classes\Plugin.php:827

actionuser_registersrc\includes\classes\Plugin.php:829

actiondelete_usersrc\includes\classes\Plugin.php:830

actionwpmu_delete_usersrc\includes\classes\Plugin.php:831

actionremove_user_from_blogsrc\includes\classes\Plugin.php:832

actionadd_meta_boxessrc\includes\classes\Plugin.php:834

filtercron_schedulessrc\includes\classes\Plugin.php:839

actioninitsrc\includes\classes\Plugin.php:840

actioninitsrc\includes\stcr.php:15

Maintenance & Trust

Comment Mail Maintenance & Trust

Maintenance Signals

WordPress version tested5.2.24

Last updatedMay 20, 2019

PHP min version

Downloads13K

Community Trust

Rating88/100

Number of ratings13

Active installs100

Alternatives

Comment Mail Alternatives

No alternatives data available yet.

Developer Profile

Comment Mail Developer Profile

Cristián Lávaque

3 plugins · 29K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

380 days

View full developer profile

Detection Fingerprints

How We Detect Comment Mail

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/comment-mail/assets/css/admin.css/wp-content/plugins/comment-mail/assets/css/comment-mail.css/wp-content/plugins/comment-mail/assets/js/admin.js/wp-content/plugins/comment-mail/assets/js/comment-mail.js

Script Paths

/wp-content/plugins/comment-mail/assets/js/admin.js/wp-content/plugins/comment-mail/assets/js/comment-mail.js

Version Parameters

comment-mail/assets/css/admin.css?ver=comment-mail/assets/css/comment-mail.css?ver=comment-mail/assets/js/admin.js?ver=comment-mail/assets/js/comment-mail.js?ver=

HTML / DOM Fingerprints

CSS Classes

comment-mail-admin-pagecomment-mail-admin-settingscomment-mail-admin-settings-section

HTML Comments

+1 more

Data Attributes

data-comment-mail-plugin-optionsdata-comment-mail-plugin-version

JS Globals

CommentMail

FAQ