WP-Safety

Creative Mail – Easier WordPress & WooCommerce Email Marketing Security & Risk Analysis

wordpress.org/plugins/creative-mail-by-constant-contact

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig …

300K active installs v1.6.9 PHP 7.3+ WP 4.9+ Updated May 6, 2024
contact-formemailmarketingnewslettersubscribe
90
A · Safe
CVEs total3
Unpatched0
Last CVEOct 28, 2022
Plugin page Download
Safety Verdict

Is Creative Mail – Easier WordPress & WooCommerce Email Marketing Safe to Use in 2026?

Generally Safe

Score 90/100

Creative Mail – Easier WordPress & WooCommerce Email Marketing has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 28, 2022Updated 1yr ago
Risk Assessment

The plugin 'creative-mail-by-constant-contact' v1.6.9 exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, there are notable areas of concern. The presence of 3 AJAX handlers without authentication checks presents a significant attack vector, potentially allowing unauthorized actions if these endpoints are exploitable. The use of the `unserialize` function, even if it doesn't currently show up in taint analysis, is a known risky function and should be treated with caution.

The plugin's vulnerability history is troubling, with 3 known High severity CVEs, all of which are now patched. However, the recurring pattern of High severity vulnerabilities, particularly Cross-Site Request Forgery (CSRF), suggests potential weaknesses in its handling of user actions and state management. The fact that these have historically been high-severity issues warrants continued vigilance, even if the current version is patched.

In conclusion, while the plugin has strengths in its handling of database queries and output sanitization, the unprotected AJAX endpoints and the historical prevalence of high-severity CSRF vulnerabilities are significant weaknesses. The use of `unserialize` also introduces a latent risk. Therefore, while the immediate situation appears stable due to patched CVEs, careful monitoring and potentially further hardening of the AJAX endpoints and authentication mechanisms are recommended.

Key Concerns

  • 3 AJAX handlers without auth checks
  • Use of dangerous function: unserialize
  • Total of 3 High severity CVEs historically
Vulnerabilities
3

Creative Mail – Easier WordPress & WooCommerce Email Marketing Security Vulnerabilities

CVEs by Year

3 CVEs in 2022
2022
Patched Has unpatched

Severity Breakdown

High
3

3 total CVEs

CVE-2022-40686high · 8.8Cross-Site Request Forgery (CSRF)

Creative Mail <= 1.5.4 - Cross-Site Request Forgery to Plugin Deactivation

Oct 28, 2022 Patched in 1.6.0 (452d)
CVE-2022-44740high · 8.8Cross-Site Request Forgery (CSRF)

Creative Mail <= 1.5.4 - Cross-Site Request Forgery

Oct 28, 2022 Patched in 1.6.0 (452d)
CVE-2022-40687high · 8.8Cross-Site Request Forgery (CSRF)

Creative Mail <= 1.5.4 - Cross-Site Request Forgery to Settings Disconnect

Oct 28, 2022 Patched in 1.6.0 (452d)
Code Analysis
Analyzed Mar 16, 2026

Creative Mail – Easier WordPress & WooCommerce Email Marketing Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
38 prepared
Unescaped Output
8
142 escaped
Nonce Checks
15
Capability Checks
4
File Operations
2
External Requests
17
Bundled Libraries
0

Dangerous Functions Found

unserialize$form_data = unserialize($formSubmission->form_value);src\Modules\Contacts\Handlers\ContactFormSevenPluginHandler.php:153

SQL Query Safety

100% prepared38 total queries

Output Escaping

95% escaped150 total outputs
Attack Surface
3 unprotected

Creative Mail – Easier WordPress & WooCommerce Email Marketing Attack Surface

Entry Points11
Unprotected3

AJAX Handlers 11

authwp_ajax_woocommerce_ce4wp_ratedsrc\Managers\AdminManager.php:116
authwp_ajax_ce4wp_request_ssosrc\Managers\AdminManager.php:120
authwp_ajax_ce4wp_deactivate_surveysrc\Managers\AdminManager.php:126
authwp_ajax_ce4wp_abandoned_checkouts_capture_guest_checkoutsrc\Managers\CheckoutManager.php:89
noprivwp_ajax_ce4wp_abandoned_checkouts_capture_guest_checkoutsrc\Managers\CheckoutManager.php:90
authwp_ajax_ce4wp_abandoned_checkouts_no_consent_checkoutsrc\Managers\CheckoutManager.php:92
noprivwp_ajax_ce4wp_abandoned_checkouts_no_consent_checkoutsrc\Managers\CheckoutManager.php:93
authwp_ajax_ce4wp_form_submissionsrc\Managers\FormManager.php:43
noprivwp_ajax_ce4wp_form_submissionsrc\Managers\FormManager.php:44
authwp_ajax_ce4wp_get_all_custom_listssrc\Managers\FormManager.php:45
authwp_ajax_ce4wp_creative_email_activatedsrc\Managers\FormManager.php:46
WordPress Hooks 57
actionplugins_loadedcreative-mail-plugin.php:135
actioninitcreative-mail-plugin.php:140
actioninitsrc\blocks\LoadBlock.php:17
filteradmin_footer_textsrc\Managers\AdminManager.php:115
actionwp_dashboard_setupsrc\Managers\AdminManager.php:117
actionadmin_footersrc\Managers\AdminManager.php:125
actionrest_api_initsrc\Managers\ApiManager.php:65
actionwoocommerce_before_checkout_formsrc\Managers\CheckoutManager.php:78
filterwoocommerce_form_field_ce4wp_noticesrc\Managers\CheckoutManager.php:80
filterwoocommerce_checkout_fieldssrc\Managers\CheckoutManager.php:81
actionwoocommerce_after_template_partsrc\Managers\CheckoutManager.php:83
actionwoocommerce_add_to_cartsrc\Managers\CheckoutManager.php:84
actionwoocommerce_cart_item_removedsrc\Managers\CheckoutManager.php:85
actionwoocommerce_cart_item_restoredsrc\Managers\CheckoutManager.php:86
actionwoocommerce_cart_item_set_quantitysrc\Managers\CheckoutManager.php:87
actionwoocommerce_checkout_create_ordersrc\Managers\CheckoutManager.php:95
actionwoocommerce_checkout_order_processedsrc\Managers\CheckoutManager.php:96
actionwoocommerce_order_status_completedsrc\Managers\CheckoutManager.php:97
actionwp_loadedsrc\Managers\CheckoutManager.php:108
actionwp_loadedsrc\Managers\CheckoutManager.php:112
actionwoocommerce_order_status_completedsrc\Managers\CheckoutManager.php:840
actionadmin_initsrc\Managers\DatabaseManager.php:66
actioninitsrc\Managers\EmailManager.php:56
filterwoocommerce_email_setting_columnssrc\Managers\EmailManager.php:59
actionwoocommerce_email_setting_column_wc_ce_statussrc\Managers\EmailManager.php:60
actionwoocommerce_email_settings_beforesrc\Managers\EmailManager.php:61
actionwoocommerce_new_ordersrc\Managers\EmailManager.php:64
actionwoocommerce_order_status_cancelledsrc\Managers\EmailManager.php:65
actionwoocommerce_order_status_failedsrc\Managers\EmailManager.php:66
actionwoocommerce_order_status_on-holdsrc\Managers\EmailManager.php:67
actionwoocommerce_order_status_processingsrc\Managers\EmailManager.php:68
actionwoocommerce_order_status_completedsrc\Managers\EmailManager.php:69
actionwoocommerce_order_status_refundedsrc\Managers\EmailManager.php:70
actionwoocommerce_after_resend_order_emailsrc\Managers\EmailManager.php:71
actionwoocommerce_payment_completesrc\Managers\EmailManager.php:74
actionwoocommerce_new_customer_notesrc\Managers\EmailManager.php:76
actionwoocommerce_reset_password_notificationsrc\Managers\EmailManager.php:78
actionwoocommerce_created_customersrc\Managers\EmailManager.php:79
filterwoocommerce_email_settingssrc\Managers\EmailManager.php:81
actionwoocommerce_admin_field_ce_manage_buttonsrc\Managers\EmailManager.php:82
filterwoocommerce_after_order_notessrc\Managers\EmailManager.php:85
actionwoocommerce_checkout_update_order_metasrc\Managers\EmailManager.php:86
filterwoocommerce_email_classessrc\Managers\EmailManager.php:89
filterwoocommerce_email_titlesrc\Managers\EmailManager.php:622
filterwoocommerce_email_descriptionsrc\Managers\EmailManager.php:623
actionwb4wp_contacts_updatedsrc\Modules\Contacts\Handlers\BlueHostBuilderPluginHandler.php:65
actioncaldera_forms_submit_completesrc\Modules\Contacts\Handlers\CalderaPluginHandler.php:120
actionwpcf7_mail_sentsrc\Modules\Contacts\Handlers\ContactFormSevenPluginHandler.php:118
actionce4wp_contact_submissionsrc\Modules\Contacts\Handlers\CreativeMailPluginHandler.php:54
actionelementor_pro/forms/mail_sentsrc\Modules\Contacts\Handlers\ElementorPluginHandler.php:92
actionfrm_after_create_entrysrc\Modules\Contacts\Handlers\FormidablePluginHandler.php:158
actiongform_after_submissionsrc\Modules\Contacts\Handlers\GravityFormsPluginHandler.php:185
actiongrunion_after_message_sentsrc\Modules\Contacts\Handlers\JetpackPluginHandler.php:120
actionnewsletter_user_confirmedsrc\Modules\Contacts\Handlers\NewsLetterContactFormPluginHandler.php:69
actionninja_forms_after_submissionsrc\Modules\Contacts\Handlers\NinjaFormsPluginHandler.php:173
actionwoocommerce_checkout_order_createdsrc\Modules\Contacts\Handlers\WooCommercePluginHandler.php:194
actionwpforms_process_completesrc\Modules\Contacts\Handlers\WpFormsPluginHandler.php:158
Maintenance & Trust

Creative Mail – Easier WordPress & WooCommerce Email Marketing Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedMay 6, 2024
PHP min version7.3
Downloads21.8M

Community Trust

Rating90/100
Number of ratings391
Active installs300K
Alternatives

Creative Mail – Easier WordPress & WooCommerce Email Marketing Alternatives

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

fluent-crm

A
96

The easiest and fastest Email Marketing, Newsletter, Marketing Automation Plugin & CRM Solution for WordPress

70K 3 CVEs
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages

Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages

convertkit

A
97

Build your email subscriber lists, send email marketing newsletters, sell more products and build your membership site with Kit (formerly ConvertKit).

40K 4 CVEs
weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

wemail

A
95

Send email newsletters, automate email marketing with email automation, manage subscribers, eCommerce emails, post notifications & optins with ease

10K 6 CVEs
Constant Contact Forms by MailMunch

Constant Contact Forms by MailMunch

constant-contact-forms-by-mailmunch

A
98

The #1 Constant Contact plugin to get more email subscribers. Easily add Constant Contact sign-up forms as popup, embedded widget or sticky top bar.

3K 3 CVEs
Developer Profile

Creative Mail – Easier WordPress & WooCommerce Email Marketing Developer Profile

Constant Contact

3 plugins · 321K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
384 days
View full developer profile
Detection Fingerprints

How We Detect Creative Mail – Easier WordPress & WooCommerce Email Marketing

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/creative-mail-by-constant-contact/assets/js/block/submit.js
Script Paths
/wp-content/plugins/creative-mail-by-constant-contact/assets/js/block/submit.js
Version Parameters
/wp-content/plugins/creative-mail-by-constant-contact/assets/js/block/submit.js?ver=

HTML / DOM Fingerprints

Data Attributes
ce4wp_data_var
JS Globals
ce4wp_form_submit_data
REST Endpoints
/creativemail/v1/callback
FAQ

Frequently Asked Questions about Creative Mail – Easier WordPress & WooCommerce Email Marketing