WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Security & Risk Analysis

wordpress.org/plugins/decorator-woocommerce-email-customizer

Create and send marketing emails and campaigns. Enable email automations, Popups, spin-a-wheel, sign-up forms, and more. Customize WooCommerce emails.

10K active installs v2.1.5 PHP 5.6+ WP 4.4+ Updated Jan 21, 2026

email-automationemail-customizeremail-marketingpopupswoocommerce-marketing

A · Safe

CVEs total2

Unpatched0

Last CVEOct 30, 2025

Download

Safety Verdict

Is WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Safe to Use in 2026?

Generally Safe

Score 98/100

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 30, 2025Updated 2mo ago

Risk Assessment

The 'decorator-woocommerce-email-customizer' plugin, version 2.1.5, exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and proper output escaping, several areas raise concerns. Specifically, the presence of two REST API routes without permission callbacks represents a significant attack surface that could be exploited by unauthenticated users. The taint analysis also revealed two flows with unsanitized paths, though thankfully these did not escalate to critical or high severity vulnerabilities. The plugin's vulnerability history, with two medium-severity CVEs, both related to missing authorization and CSRF, suggests a recurring pattern of incomplete access control. Although there are no currently unpatched vulnerabilities, this historical trend, combined with the identified unprotected entry points in the static analysis, warrants cautious attention. Overall, the plugin has some strong security foundations but requires immediate attention to address the unprotected REST API routes and the ongoing need for robust authorization checks.

Key Concerns

REST API routes without permission callbacks
Flows with unsanitized paths in taint analysis
History of medium severity CVEs (Missing Auth/CSRF)

Vulnerabilities

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-67599medium · 4.3Missing Authorization

WebToffee eCommerce Marketing Automation <= 2.1.1 - Missing Authorization

Oct 30, 2025 Patched in 2.1.2 (43d)

CVE-2023-48284medium · 4.3Cross-Site Request Forgery (CSRF)

Decorator - WooCommerce Email Customizer <= 1.2.7 - Cross-Site Request Forgery

Nov 2, 2023 Patched in 1.2.8 (82d)

Code Analysis

Analyzed Mar 16, 2026

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

610 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

63% prepared8 total queries

Output Escaping

95% escaped642 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

wt_decorator_delete_autosave_post (includes\classes\rp-decorator-customizer.class.php:1124)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Attack Surface

Entry Points13

Unprotected2

AJAX Handlers 11

authwp_ajax_decorator_submit_uninstall_reasonincludes\class-rp-decorator-uninstall-feedback.php:27

authwp_ajax_wt_decorator_dismiss_bfcmincludes\classes\class-wt-decorator-bfcm-banner.php:40

authwp_ajax_rp_decorator_resetincludes\classes\rp-decorator-customizer.class.php:86

authwp_ajax_rp_decorator_set_as_defaultincludes\classes\rp-decorator-customizer.class.php:88

authwp_ajax_rp_decorator_button_textincludes\classes\rp-decorator-customizer.class.php:91

authwp_ajax_rp_decorator_delete_autosave_postincludes\classes\rp-decorator-customizer.class.php:93

authwp_ajax_wt_send_test_emailincludes\classes\rp-decorator-customizer.class.php:96

authwp_ajax_wt_apply_prebult_templateincludes\classes\rp-decorator-customizer.class.php:99

authwp_ajax_wt_send_reset_sliderincludes\classes\rp-decorator-customizer.class.php:101

authwp_ajax_wbte_sf_disconnectincludes\storefrog\class-storefrog-connector.php:129

authwp_ajax_wbte_sf_set_first_time_connectincludes\storefrog\class-storefrog-connector.php:130

REST API Routes 2

GET/wp-json/wc/v3/decorator/warning-statusincludes\storefrog\class-storefrog-connector.php:178

POST/wp-json/wc/v3/decorator/clear-warningincludes\storefrog\class-storefrog-connector.php:184

WordPress Hooks 53

filterwoocommerce_locate_templatedecorator.php:91

actioninitdecorator.php:93

actionplugins_loadeddecorator.php:96

actioninitdecorator.php:97

actionadmin_initdecorator.php:105

actionadmin_initdecorator.php:112

actionadmin_noticesdecorator.php:163

actionadmin_noticesdecorator.php:168

actionadmin_noticesdecorator.php:174

actionbefore_woocommerce_initdecorator.php:592

actionadmin_footerincludes\class-rp-decorator-uninstall-feedback.php:26

actionadmin_enqueue_scriptsincludes\classes\class-wt-decorator-bfcm-banner.php:38

actionadmin_noticesincludes\classes\class-wt-decorator-bfcm-banner.php:39

actionadmin_footerincludes\classes\class-wt-decorator-bfcm-banner.php:41

actioncustomize_registerincludes\classes\rp-decorator-customizer.class.php:75

filterwoocommerce_email_stylesincludes\classes\rp-decorator-customizer.class.php:78

actionwoocommerce_email_headerincludes\classes\rp-decorator-customizer.class.php:82

actionwoocommerce_email_headerincludes\classes\rp-decorator-customizer.class.php:84

actioncustomize_registerincludes\classes\rp-decorator-customizer.class.php:109

filteruser_has_capincludes\classes\rp-decorator-customizer.class.php:112

filtercustomize_loaded_componentsincludes\classes\rp-decorator-customizer.class.php:115

filtercustomize_section_activeincludes\classes\rp-decorator-customizer.class.php:118

filtercustomize_control_activeincludes\classes\rp-decorator-customizer.class.php:121

filtercustomize_controls_enqueue_scriptsincludes\classes\rp-decorator-customizer.class.php:124

filteruser_has_capincludes\classes\rp-decorator-customizer.class.php:144

actioncustomize_controls_headincludes\classes\rp-decorator-preview.class.php:61

filtercustomize_save_responseincludes\classes\rp-decorator-preview.class.php:62

filtercustomize_changeset_save_dataincludes\classes\rp-decorator-preview.class.php:63

actioninitincludes\classes\rp-decorator-preview.class.php:64

actionparse_requestincludes\classes\rp-decorator-preview.class.php:65

actionadmin_menuincludes\classes\rp-decorator-preview.class.php:68

actionadmin_footerincludes\classes\rp-decorator-preview.class.php:71

actionwp_footerincludes\classes\rp-decorator-preview.class.php:129

actionwt_decorator_email_body_contentincludes\classes\rp-decorator-wc.class.php:55

actionwt_decorator_email_body_content_textincludes\classes\rp-decorator-wc.class.php:57

filterwoocommerce_email_format_stringincludes\classes\rp-decorator-wc.class.php:58

filterwoocommerce_email_order_items_argsincludes\classes\rp-decorator-wc.class.php:60

filterwoocommerce_email_settingsincludes\classes\rp-decorator-wc.class.php:62

actionwoocommerce_admin_field_rp_decorator_open_customizer_buttonincludes\classes\rp-decorator-wc.class.php:63

actionadmin_initincludes\classes\wt-decorator-review_request.class.php:47

actionadmin_noticesincludes\classes\wt-decorator-review_request.class.php:59

actionadmin_print_footer_scriptsincludes\classes\wt-decorator-review_request.class.php:60

actionadmin_menuincludes\storefrog\class-storefrog-connector.php:127

actioninitincludes\storefrog\class-storefrog-connector.php:128

actionwp_enqueue_scriptsincludes\storefrog\class-storefrog-connector.php:133

filterscript_loader_tagincludes\storefrog\class-storefrog-connector.php:136

actionwc_ajax_get_storefrog_data_objectincludes\storefrog\class-storefrog-connector.php:139

actioninitincludes\storefrog\class-storefrog-connector.php:141

actionadmin_initincludes\storefrog\class-storefrog-connector.php:144

actionrest_api_initincludes\storefrog\class-storefrog-connector.php:147

actionwp_footerincludes\storefrog\class-storefrog-connector.php:150

actionwoocommerce_single_product_summaryincludes\storefrog\class-storefrog-connector.php:153

actionwp_footerincludes\storefrog\class-storefrog-connector.php:154

Maintenance & Trust

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 21, 2026

PHP min version5.6

Downloads308K

Community Trust

Rating96/100

Number of ratings54

Active installs10K

Alternatives

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

wemail

Send email newsletters, automate email marketing with email automation, manage subscribers, eCommerce emails, post notifications & optins with ease

10K 6 CVEs

Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

mail-mint

Use Mail Mint, the easiest email marketing automation plugin in WordPress to generate leads, send email campaigns, and run email automation workflows.

6K 8 CVEs

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

sender-net-automated-emails

Sender is an all-in-one email & SMS marketing platform designed keeping the challenges of ecommerce and small businesses in mind.

5K 2 CVEs

Developer Profile

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer Developer Profile

WebToffee

17 plugins · 377K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

155 days

View full developer profile

Detection Fingerprints

How We Detect WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/decorator-woocommerce-email-customizer/admin/css/wt-decorator-admin.css/wp-content/plugins/decorator-woocommerce-email-customizer/admin/js/wt-decorator-admin.js/wp-content/plugins/decorator-woocommerce-email-customizer/assets/css/wt-decorator-frontend.css/wp-content/plugins/decorator-woocommerce-email-customizer/assets/js/wt-decorator-frontend.js/wp-content/plugins/decorator-woocommerce-email-customizer/assets/js/wt-decorator-color-picker.js

Script Paths

admin/js/wt-decorator-admin.jsassets/js/wt-decorator-frontend.jsassets/js/wt-decorator-color-picker.js

Version Parameters

decorator-woocommerce-email-customizer/admin/css/wt-decorator-admin.css?ver=decorator-woocommerce-email-customizer/admin/js/wt-decorator-admin.js?ver=decorator-woocommerce-email-customizer/assets/css/wt-decorator-frontend.css?ver=decorator-woocommerce-email-customizer/assets/js/wt-decorator-frontend.js?ver=decorator-woocommerce-email-customizer/assets/js/wt-decorator-color-picker.js?ver=

HTML / DOM Fingerprints

CSS Classes

wt-decorator-admin-wrapperwt-decorator-admin-content

Data Attributes

data-wt-decorator-id

JS Globals

wt_decorator_data

FAQ