WP-Safety

DM Confirm Email Security & Risk Analysis

wordpress.org/plugins/dm-confirm-email

Protect your wordpress site with spam registration. DM Confirm Email requires new users to confirm their email addresses.

100 active installs v1.4 PHP + WP 3.6+ Updated Mar 11, 2014
confirmemailregistrationsecurityspam
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is DM Confirm Email Safe to Use in 2026?

Generally Safe

Score 85/100

DM Confirm Email has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The dm-confirm-email plugin, version 1.4, presents a mixed security picture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all SQL queries and shows a high percentage of properly escaped output. Furthermore, its attack surface is commendably small, with no apparent AJAX handlers, REST API routes, shortcodes, or cron events that are exposed or lack authentication.

However, the static analysis reveals significant concerns regarding taint analysis. Three flows were identified with unsanitized paths and flagged as high severity. While there are no recorded CVEs for this plugin, the presence of high-severity taint flows suggests a potential for vulnerabilities that could be exploited if an attacker can manipulate the data flowing through these unsanitized paths. The absence of nonce and capability checks on any entry points, although the entry points are currently zero, remains a potential weakness should the plugin evolve to include them in the future.

In conclusion, while the plugin has a clean vulnerability history and employs secure coding practices for its database interactions and output handling, the high-severity taint flows are a critical concern that necessitates immediate attention. The lack of any recorded vulnerabilities to date may be due to the plugin's limited current attack surface, but the identified taint issues represent a latent risk.

Key Concerns

  • High severity taint flows with unsanitized paths
  • No nonce checks on entry points
  • No capability checks on entry points
  • Minor output escaping issues (17% not properly escaped)
Vulnerabilities
None known

DM Confirm Email Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

DM Confirm Email Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
11
53 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared8 total queries

Output Escaping

83% escaped64 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
formRegister (models\login-register.php:28)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

DM Confirm Email Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 17
actionadmin_enqueue_scriptsdm-confirm-email.php:50
filterwp_mail_content_typeinc\pluggable.php:43
actionlogin_form_confirmmodels\login-confirm.php:19
filterwp_login_errorsmodels\login-confirm.php:40
filterwp_login_errorsmodels\login-confirm.php:42
filterwp_login_errorsmodels\login-confirm.php:46
actionlogin_form_registermodels\login-register.php:17
actiondm_ec_regmodels\login-register.php:18
filterregistration_errorsmodels\login-register.php:19
actionlogin_form_dmecmodels\login-register.php:20
filterwp_login_errorsmodels\login-register.php:160
actionlogin_form_resendecmodels\login-resend.php:4
actionadmin_initmodels\plugin-page.php:4
actionadmin_menumodels\plugin-page.php:5
filterwp_mail_content_typemodels\registration.php:138
actionuser_registermodels\welcome_message.php:10
filterwp_mail_content_typemodels\welcome_message.php:21
Maintenance & Trust

DM Confirm Email Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedMar 11, 2014
PHP min version
Downloads22K

Community Trust

Rating82/100
Number of ratings7
Active installs100
Alternatives

DM Confirm Email Alternatives

MailCheck.ai

MailCheck.ai

validator-pizza

A
92

Prevent disposable email addresses from registering or commenting on your site with MailCheck.ai.

60 No CVEs
Customer Email Verification for WooCommerce

Customer Email Verification for WooCommerce

customer-email-verification-for-woocommerce

A
100

Secure WooCommerce registrations with OTP-based email verification, reducing spam and ensuring only valid email addresses are used.

2K No CVEs
Disable WP Registration Page Spam

Disable WP Registration Page Spam

disable-wp-registration-page-spam

A
92

Disable default WordPress registration page, remove register link and stop registration spam, without disabling user registration.

1K No CVEs
Restrict Usernames Emails Characters

Restrict Usernames Emails Characters

restrict-usernames-emails-characters

A
100

Restrict the usernames, email addresses, characters and symbols or email from specific domain names or language in registration ...

1K 1 CVE
Reoon Email Verifier

Reoon Email Verifier

reoon-email-verifier

A
99

Safeguard your online forms against invalid, temporary, disposable, and harmful email addresses with real-time verification.

600 1 CVE
Developer Profile

DM Confirm Email Developer Profile

Michael

2 plugins · 800 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect DM Confirm Email

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dm-confirm-email/css/general.css/wp-content/plugins/dm-confirm-email/js/general.js
Script Paths
/wp-content/plugins/dm-confirm-email/js/general.js
Version Parameters
dm-confirm-email/css/general.css?ver=1.4dm-confirm-email/js/general.js?ver=1.4

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about DM Confirm Email