WP-Safety

Elastic Email Sender Security & Risk Analysis

wordpress.org/plugins/elastic-email-sender

Reconfigures wp_mail() to send email using Elastic Email API instead of SMTP.

10K active installs v1.2.22 PHP 7.0+ WP 5.0+ Updated Dec 3, 2025
email-marketingemail-sendermailertransactional-email
98
A · Safe
CVEs total2
Unpatched0
Last CVEOct 28, 2025
Plugin page Download
Safety Verdict

Is Elastic Email Sender Safe to Use in 2026?

Generally Safe

Score 98/100

Elastic Email Sender has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 28, 2025Updated 4mo ago
Risk Assessment

The elastic-email-sender plugin exhibits a mixed security posture, with some positive indicators but notable areas of concern. The static analysis reveals a small attack surface with only two entry points, one of which lacks authentication checks. While the taint analysis shows no critical or high severity issues, the presence of two AJAX handlers, one unprotected, represents a significant potential weakness that could be exploited if input validation is insufficient. The vulnerability history, including two past medium-severity vulnerabilities related to missing authorization and cross-site scripting, suggests a recurring pattern of weaknesses in these areas. Although there are currently no unpatched vulnerabilities, the historical pattern is a strong indicator that similar issues could re-emerge. The plugin demonstrates good practices in output escaping and the use of prepared statements for SQL queries, which are strengths. However, the unprotected AJAX handler and the historical vulnerability types are substantial concerns that require attention.

Key Concerns

  • Unprotected AJAX handler
  • Past medium vulnerabilities (Missing Authorization)
  • Past medium vulnerabilities (XSS)
Vulnerabilities
2

Elastic Email Sender Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-66525medium · 4.3Missing Authorization

Elastic Email Sender <= 1.2.20 - Missing Authorization

Oct 28, 2025 Patched in 1.2.21 (45d)
CVE-2023-38387medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elastic Email Sender <= 1.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 20, 2023 Patched in 1.2.7 (187d)
Code Analysis
Analyzed Mar 16, 2026

Elastic Email Sender Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
2 prepared
Unescaped Output
10
73 escaped
Nonce Checks
4
Capability Checks
4
File Operations
1
External Requests
1
Bundled Libraries
0

SQL Query Safety

50% prepared4 total queries

Output Escaping

88% escaped83 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
show_reports (class\ees_admin.php:145)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Elastic Email Sender Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_sender_send_testelasticemailsender.php:49
authwp_ajax_clean_error_logelasticemailsender.php:50
WordPress Hooks 8
actioninitclass\ees_admin.php:26
actioninitclass\ees_admin.php:27
actionadmin_initclass\ees_admin.php:28
actionadmin_menuclass\ees_admin.php:31
actionadmin_enqueue_scriptsclass\ees_admin.php:37
filterpre_wp_mailclass\ees_mail.php:19
filterpre_wp_mailclass\ees_mail.php:282
filterretrieve_password_messagedefaults\function.reset_pass.php:21
Maintenance & Trust

Elastic Email Sender Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version7.0
Downloads285K

Community Trust

Rating96/100
Number of ratings10
Active installs10K
Alternatives

Elastic Email Sender Alternatives

Avang Email Sender No Spam

Avang Email Sender No Spam

avang-email-sender-no-spam

A
85

This plugin reconfigures the wp_mail() function to send email using API (via AvangEmail) instead of SMTP and creates a Settings page that allows you t &hellip;

0 No CVEs
MailerLite – WooCommerce integration

MailerLite – WooCommerce integration

woo-mailerlite

A
93

Powerful e-commerce email marketing tools that are easy to use. Grow your store with automated emails, pop-ups, product blocks, sales tracking + more.

30K 4 CVEs
Zoho ZeptoMail

Zoho ZeptoMail

transmail

A
99

Zoho ZeptoMail Plugin lets you configure your ZeptoMail account on your WordPress site enabling you to send transactional emails of your site via Zept &hellip;

5K 1 CVE
Connect SendGrid for Emails

Connect SendGrid for Emails

connect-sendgrid-for-emails

A
92

Connect SendGrid to your WordPress site to send emails using SendGrid's cloud-based email platform.

900 No CVEs
Mass Email To users

Mass Email To users

mass-email-to-users

A
100

Mass Email To Users is the plugin for sending a mass email to WordPress users. Admin can send an email to WordPress users together.

900 1 CVE
Developer Profile

Elastic Email Sender Developer Profile

Elastic Email

2 plugins · 10K total installs

66
trust score
Avg Security Score
81/100
Avg Patch Time
116 days
View full developer profile
Detection Fingerprints

How We Detect Elastic Email Sender

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/elastic-email-sender/css/ees-bootstrap-grid.css/wp-content/plugins/elastic-email-sender/css/ees-css.css
Version Parameters
elastic-email-sender/css/ees-bootstrap-grid.css?ver=elastic-email-sender/css/ees-css.css?ver=

HTML / DOM Fingerprints

CSS Classes
eewp-evmab-frvvreewp-containeree-headeree-pagetitleee-pmargin-p-xssettings-box-form
HTML Comments
phpcs:ignore WordPress.Security.NonceVerification.Recommended -- settings-updated is added by WordPress Settings API after saving settings
Data Attributes
data-tab="main"data-tab="api"data-tab="woocommerce"data-tab="settings"data-tab="log"data-tab="channels"
JS Globals
window.ees_wp_data
FAQ

Frequently Asked Questions about Elastic Email Sender