Does Draft Notify have any unpatched vulnerabilities?

Yes — Draft Notify currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Draft Notify compatible with WordPress 4.9.29?

According to WordPress.org data, Draft Notify 1.5 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is Draft Notify updated?

Draft Notify was last updated on Apr 5, 2018. Frequent updates are generally a positive security signal.

What is Draft Notify's security score?

Draft Notify has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Draft Notify Security & Risk Analysis

wordpress.org/plugins/draft-notify

This plugin is designed to send an email notification whenever a draft is saved.

100 active installs v1.5 PHP + WP 3.0.1+ Updated Apr 5, 2018

authorsdraft-notificationdraftsemail-notification

C · Use Caution

CVEs total1

Unpatched1

Last CVEDec 21, 2025

Plugin page Download

Safety Verdict

Is Draft Notify Safe to Use in 2026?

Use With Caution

Score 63/100

Draft Notify has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 21, 2025Updated 8yr ago

Risk Assessment

The 'draft-notify' v1.5 plugin presents a mixed security posture. On the positive side, the static analysis reveals a very limited attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, there are no critical or high severity taint flows identified, and no file operations or external HTTP requests, which are good indicators of secure coding practices in those areas. However, significant concerns arise from the SQL query handling and output escaping. All three SQL queries are executed without prepared statements, posing a risk of SQL injection vulnerabilities. Additionally, a large majority of output (87%) is not properly escaped, creating a high risk of Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history is a major red flag, with one medium severity CVE for Cross-Site Scripting that remains unpatched. This indicates a recurring issue with input sanitization and output escaping, mirroring the findings in the static code analysis. The fact that this vulnerability is recent (2025) and unpatched is particularly concerning. While the plugin has a small attack surface, the identified vulnerabilities in SQL handling and output escaping, combined with a known unpatched XSS vulnerability, significantly elevate the overall risk. Users should exercise caution and consider alternatives or ensure this specific vulnerability is addressed before deployment.

Key Concerns

Unpatched CVE (Medium Severity)
Raw SQL queries without prepared statements
High percentage of unescaped output
No nonce checks
No capability checks

Vulnerabilities

1 published

Draft Notify Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-67627medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Draft Notify <= 1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 21, 2025Unpatched

Version History

Draft Notify Release Timeline

vV1.51 CVE

CVE-2025-67627

vV1.01 CVE

CVE-2025-67627

Code Analysis

Analyzed Mar 16, 2026

Draft Notify Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared3 total queries

Output Escaping

13% escaped16 total outputs

Attack Surface

Draft Notify Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionsave_postdraft-notify.php:195

actionadmin_menudraft-notify.php:207

actionadmin_initdraft-notify.php:211

Maintenance & Trust

Draft Notify Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedApr 5, 2018

PHP min version

Downloads5K

Community Trust

Rating100/100

Number of ratings1

Active installs100

Alternatives

Draft Notify Alternatives

Public Post Preview

public-post-preview

100

Allow anonymous users to preview a draft of a post before it is published.

100K No CVEs

Co-Authors Plus

co-authors-plus

Assign multiple bylines to posts, pages, and custom post types with a search-as-you-type input box.

20K 1 CVE

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

publishpress-authors

PublishPress Authors is the best plugin for adding authors, co-authors, multiple authors and guest authors to WordPress posts.

20K 5 CVEs

Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress

molongui-authorship

All-in-One Authorship Solution: Seamless Author Box, Guest Authors, and Co-Authors to enhance your site's authority, credibility, engagement, and SEO.

10K 6 CVEs

Starbox – the Author Box for Humans

starbox

Starbox is the Author Box for Humans. Professional Themes to choose from, HTML5, Social Media Profiles, Google Authorship

10K 6 CVEs

Developer Profile

Draft Notify Developer Profile

TouchOfTech

1 plugin · 100 total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Draft Notify

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ