Does Email have any unpatched vulnerabilities?

No. All known vulnerabilities in Email have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Email compatible with WordPress 3.6.1?

According to WordPress.org data, Email 1.1.1 has been tested up to WordPress 3.6.1. Check the plugin's changelog for the latest compatibility information.

How often is Email updated?

Email was last updated on Jan 22, 2015. Frequent updates are generally a positive security signal.

What is Email's security score?

Email has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Email Security & Risk Analysis

wordpress.org/plugins/email

Email users with custom templates when certain actions happen, such as new posts or updated custom post types and keep a log of sent emails.

60 active installs v1.1.1 PHP + WP 3.5.2+ Updated Jan 22, 2015

e-mailemailmailwp-emailwp_mail

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Email Safe to Use in 2026?

Generally Safe

Score 85/100

Email has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The "email" plugin v1.1.1 presents a mixed security posture. On the positive side, it demonstrates good practices regarding SQL query handling, exclusively using prepared statements, and shows a high percentage of properly escaped output, which mitigates common injection and XSS vulnerabilities. The absence of known CVEs and a clean vulnerability history further suggests a generally secure development process.

However, significant concerns arise from the static analysis. The plugin exposes two AJAX handlers, both lacking authentication checks. This creates a substantial attack surface, allowing any authenticated user, potentially even those with lower privileges, to trigger these handlers. The taint analysis also identified one flow with unsanitized paths, which, despite not being classified as critical or high, still indicates a potential area for exploitation if malicious input can be controlled. The absence of nonce checks on these unprotected AJAX endpoints further exacerbates the risk, making them susceptible to Cross-Site Request Forgery (CSRF) attacks.

In conclusion, while the plugin excels in data handling and output escaping, the unprotected AJAX endpoints are a critical weakness. The vulnerability history being clear is positive but doesn't negate the immediate risks identified in the static analysis. The focus should be on securing these entry points to significantly improve the plugin's overall security.

Key Concerns

Unprotected AJAX handlers
Flow with unsanitized paths
Missing nonce checks on AJAX

Vulnerabilities

None known

Email Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Email Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

69 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery

Output Escaping

93% escaped74 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

email_get_template (admin.php:565)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Email Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_email_get_usersemail.php:26

authwp_ajax_email_get_templateemail.php:27

WordPress Hooks 5

actioninitemail.php:21

actiontransition_post_statusemail.php:22

actionadmin_heademail.php:23

actionadmin_menuemail.php:24

actionadmin_enqueue_scriptsemail.php:25

Maintenance & Trust

Email Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1

Last updatedJan 22, 2015

PHP min version

Downloads13K

Community Trust

Rating66/100

Number of ratings4

Active installs60

Alternatives

Email Alternatives

WP-EMail

wp-email

Allows people to recommend/send your WordPress blog's post/page to a friend.

2K 5 CVEs

ActiveCampaign Postmark for WordPress

postmark-approved-wordpress-plugin

The officially-supported ActiveCampaign Postmark plugin for Wordpress.

50K No CVEs

SMTP2GO for WordPress – Email Made Easy

smtp2go

Resolve email delivery issues, increase inbox placement, track sent email, get 24/7 support, and real-time reporting.

30K 2 CVEs

Change Mail Sender

cb-change-mail-sender

Easily change the default WordPress from email name and from email address.

20K No CVEs

Zoho Mail for WordPress

zoho-mail

100

Zoho Mail Plugin lets you configure your Zoho Mail account on your WordPress site enabling you to send the email via Zoho Mail API.

20K No CVEs

Developer Profile

Email Developer Profile

Patrick Daly

3 plugins · 970 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Email

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/email/assets/chosen/chosen.css/wp-content/plugins/email/assets/jquery-ui-1.9.2.custom.min.css/wp-content/plugins/email/assets/chosen/chosen.jquery.min.js/wp-content/plugins/email/assets/jquery.timepicker.js/wp-content/plugins/email/assets/app.js

Script Paths

/wp-content/plugins/email/assets/app.js

HTML / DOM Fingerprints

CSS Classes

chosen-select

Data Attributes

data-placeholder="Choose post types..."data-placeholder="Choose actions..."

FAQ