WP-Safety

Email Templates Customizer and Designer for WordPress and WooCommerce Security & Risk Analysis

wordpress.org/plugins/email-templates

Design and send custom emails with Email Templates plugin for WordPress and WooCommerce

20K active installs v1.5.11 PHP 7.1+ WP 4.8+ Updated Feb 2, 2026
emailemail-customizeremail-designeremail-templateswoocommerce-email
99
A · Safe
CVEs total2
Unpatched0
Last CVENov 3, 2023
Plugin page Download
Safety Verdict

Is Email Templates Customizer and Designer for WordPress and WooCommerce Safe to Use in 2026?

Generally Safe

Score 99/100

Email Templates Customizer and Designer for WordPress and WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 3, 2023Updated 2mo ago
Risk Assessment

The "email-templates" plugin v1.5.11 presents a mixed security posture. While it demonstrates good practices in SQL query handling, output escaping, and a significant number of nonce checks, several areas raise concern. The presence of 6 AJAX handlers, with 4 lacking authentication checks, creates a substantial attack surface that could be exploited by unauthenticated users. Additionally, the use of dangerous functions like `unserialize` warrants careful scrutiny, as it can lead to code execution vulnerabilities if not handled with extreme care and proper sanitization. The plugin's vulnerability history, including a past high-severity vulnerability and a medium-severity one, along with the common types of past issues (CSRF and Injection), suggests a tendency for certain classes of vulnerabilities. While there are no currently unpatched CVEs, the history indicates that the plugin has been susceptible to exploitable flaws. Overall, the plugin has strengths in secure coding practices for certain aspects but weaknesses in access control for its AJAX endpoints and potential risks associated with `unserialize` and its past vulnerability patterns.

The taint analysis shows 2 flows with unsanitized paths, which, while not rated as critical or high, still represent potential avenues for injection attacks if the data flows are not properly validated and sanitized at their source. The limited number of these flows and the absence of critical/high severity taint issues are positive signs. However, the fact that these unsanitized paths exist within the analyzed flows is a definite risk. Coupled with the unprotected AJAX handlers, there's a clear potential for attackers to manipulate data inputs that are not adequately checked before being processed or used in sensitive operations, potentially leading to unintended consequences or exploits.

Key Concerns

  • 4 AJAX handlers without auth checks
  • Use of unserialize function
  • 2 flows with unsanitized paths
  • 1 high severity CVE in history
  • 1 medium severity CVE in history
  • Common vulnerability types: CSRF, Injection
Vulnerabilities
2

Email Templates Customizer and Designer for WordPress and WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2022-47181medium · 4.3Cross-Site Request Forgery (CSRF)

Email Templates <= 1.4.2 - Cross-Site Request Forgery via send_test_email

Nov 3, 2023 Patched in 1.4.3 (81d)
CVE-2019-25150high · 8.8Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Email Templates <= 1.3 - HTML Injection

Oct 25, 2019 Patched in 1.3.1 (1551d)
Code Analysis
Analyzed Mar 16, 2026

Email Templates Customizer and Designer for WordPress and WooCommerce Code Analysis

Dangerous Functions
6
Raw SQL Queries
0
0 prepared
Unescaped Output
119
921 escaped
Nonce Checks
16
Capability Checks
7
File Operations
4
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize( base64_decode( $raw ) );includes\class-mailtpl-woomail-import-export.php:192
unserializereturn @unserialize( $string2 );includes\class-mailtpl-woomail-import-export.php:258
unserialize$data = @unserialize( $raw_data );includes\class-mailtpl-woomail-import-export.php:286
unserialize$data = unserialize( base64_decode( $raw ) );includes\woocommerce-customizer\class-mailtpl-woomail-import-export.php:237
unserializereturn @unserialize( $string2 );includes\woocommerce-customizer\class-mailtpl-woomail-import-export.php:311
unserialize$data = @unserialize( $raw_data );includes\woocommerce-customizer\class-mailtpl-woomail-import-export.php:348

Output Escaping

89% escaped1040 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths
ajax_send_email (includes\class-mailtpl-woomail-customizer.php:1012)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Email Templates Customizer and Designer for WordPress and WooCommerce Attack Surface

Entry Points7
Unprotected4

AJAX Handlers 6

authwp_ajax_post_smtp_requestadmin\post-smtp-notice\recommend-post-smtp-base.php:39
noprivwp_ajax_post_smtp_requestadmin\post-smtp-notice\recommend-post-smtp-base.php:40
authwp_ajax_mailtpl_woomail_resetincludes\class-mailtpl-woomail-customizer.php:59
authwp_ajax_mailtpl_woomail_send_emailincludes\class-mailtpl-woomail-customizer.php:62
authwp_ajax_mailtpl_send_emailincludes\class-mailtpl.php:229
authwp_ajax_mailtpl_woomail_send_emailincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:78

REST API Routes 1

POST/wp-json/recommend-post-smtp/requestadmin\post-smtp-notice\recommend-post-smtp-admin-notice.php:161
WordPress Hooks 102
actionadmin_initadmin\class-mailtpl-admin.php:51
filteredd_email_templateadmin\class-mailtpl-admin.php:237
actionadmin_enqueue_scriptsadmin\post-smtp-notice\recommend-post-smtp-admin-notice.php:52
actionadmin_headadmin\post-smtp-notice\recommend-post-smtp-admin-notice.php:53
actionadmin_post_hide-post-smtp-recommendation-noticeadmin\post-smtp-notice\recommend-post-smtp-admin-notice.php:54
actionrest_api_initadmin\post-smtp-notice\recommend-post-smtp-admin-notice.php:55
actionrest_api_initadmin\post-smtp-notice\recommend-post-smtp-base.php:36
actionadmin_enqueue_scriptsadmin\post-smtp-notice\recommend-post-smtp-base.php:43
actionadmin_headadmin\post-smtp-notice\recommend-post-smtp-base.php:44
actionadmin_menuadmin\post-smtp-notice\recommend-post-smtp-base.php:57
actionadmin_menuadmin\post-smtp-notice\recommend-post-smtp-base.php:61
actioncustomize_registeradmin\test.php:134
actionwp_headadmin\test.php:137
actioncustomize_preview_initadmin\test.php:140
actionplugins_loadedclass-mailtpl-woomail-composer.php:50
actionplugins_loadedclass-mailtpl-woomail-composer.php:51
actionafter_setup_themeclass-mailtpl-woomail-composer.php:91
actionwoocommerce_email_headerclass-mailtpl-woomail-composer.php:104
filterwoocommerce_locate_templateclass-mailtpl-woomail-composer.php:105
filterwoocommerce_email_format_stringclass-mailtpl-woomail-composer.php:106
actionmailtpl_woomailemail_detailsclass-mailtpl-woomail-composer.php:107
actionmailtpl_woomailemail_textclass-mailtpl-woomail-composer.php:108
actionmailtpl_woomailemail_footerclass-mailtpl-woomail-composer.php:109
filterwoocommerce_email_order_items_argsclass-mailtpl-woomail-composer.php:110
filterwoocommerce_email_footer_textclass-mailtpl-woomail-composer.php:111
filterwoocommerce_email_setup_localeclass-mailtpl-woomail-composer.php:112
filterwoocommerce_email_restore_localeclass-mailtpl-woomail-composer.php:113
filterwoocommerce_locate_templateclass-mailtpl-woomail-composer.php:719
filtermailtpl_woomail_is_dedicated_for_woocommerce_activeemail-templates.php:43
actioncustomize_controls_print_stylesincludes\class-mailtpl-customizer.php:53
actioncustomize_controls_enqueue_scriptsincludes\class-mailtpl-customizer.php:54
filtermailtpl_email_contentincludes\class-mailtpl-mailer.php:72
filtermailtpl_email_contentincludes\class-mailtpl-mailer.php:134
filtermailtpl_email_contentincludes\class-mailtpl-mailer.php:135
filtermailtpl_email_contentincludes\class-mailtpl-mailer.php:136
actioninitincludes\class-mailtpl-woomail-customizer.php:50
actioncustomize_registerincludes\class-mailtpl-woomail-customizer.php:53
filterwoocommerce_email_stylesincludes\class-mailtpl-woomail-customizer.php:56
actioncustomize_registerincludes\class-mailtpl-woomail-customizer.php:70
filteruser_has_capincludes\class-mailtpl-woomail-customizer.php:73
filtercustomize_loaded_componentsincludes\class-mailtpl-woomail-customizer.php:76
filtercustomize_section_activeincludes\class-mailtpl-woomail-customizer.php:79
filtercustomize_control_activeincludes\class-mailtpl-woomail-customizer.php:82
filtercustomize_controls_enqueue_scriptsincludes\class-mailtpl-woomail-customizer.php:85
filtergettextincludes\class-mailtpl-woomail-customizer.php:88
actioninitincludes\class-mailtpl-woomail-customizer.php:91
filterwpm_customizer_urlincludes\class-mailtpl-woomail-customizer.php:94
actionwoomail_footerincludes\class-mailtpl-woomail-customizer.php:97
actionwoomail_footerincludes\class-mailtpl-woomail-customizer.php:100
actioncustomize_preview_initincludes\class-mailtpl-woomail-customizer.php:103
filtermailtpl_woomail_email_typesincludes\class-mailtpl-woomail-customizer.php:123
filtermailtpl_woomail_email_type_class_name_arrayincludes\class-mailtpl-woomail-customizer.php:132
filtermailtpl_woomail_email_settings_default_valuesincludes\class-mailtpl-woomail-customizer.php:141
filteruser_has_capincludes\class-mailtpl-woomail-customizer.php:235
actioncustomize_registerincludes\class-mailtpl-woomail-import-export.php:76
actioncustomize_controls_print_scriptsincludes\class-mailtpl-woomail-import-export.php:77
actionparse_requestincludes\class-mailtpl-woomail-preview.php:185
actionwp_footerincludes\class-mailtpl-woomail-preview.php:791
filterwoocommerce_email_settingsincludes\class-mailtpl-woomail-woo.php:48
actionwoocommerce_admin_field_mailtpl_woomail_open_customizer_buttonincludes\class-mailtpl-woomail-woo.php:51
actionplugins_loadedincludes\class-mailtpl.php:186
actionadmin_menuincludes\class-mailtpl.php:203
actionadmin_menuincludes\class-mailtpl.php:204
actionadmin_enqueue_scriptsincludes\class-mailtpl.php:205
actionmailtpl_admin_pointers_pluginsincludes\class-mailtpl.php:206
actionmailtpl_admin_pointers_dashboardincludes\class-mailtpl.php:207
filteredd_email_templatesincludes\class-mailtpl.php:209
actionedd_email_send_beforeincludes\class-mailtpl.php:210
actionwoocommerce_emailincludes\class-mailtpl.php:211
filterwoocommerce_email_settingsincludes\class-mailtpl.php:212
actioncustomize_registerincludes\class-mailtpl.php:217
actioncustomize_section_activeincludes\class-mailtpl.php:218
actioncustomize_panel_activeincludes\class-mailtpl.php:219
actiontemplate_includeincludes\class-mailtpl.php:221
actionwoocommerce_email_headerincludes\class-mailtpl.php:225
filterwp_mailincludes\class-mailtpl.php:228
actionwp_mail_content_typeincludes\class-mailtpl.php:230
actionwp_mail_from_nameincludes\class-mailtpl.php:231
actionwp_mail_fromincludes\class-mailtpl.php:232
filtermailtpl_email_contentincludes\class-mailtpl.php:234
filtergform_html_message_template_pre_send_emailincludes\class-mailtpl.php:236
actioncustomize_controls_enqueue_scriptsincludes\class-mailtpl.php:240
actioncustomize_preview_initincludes\class-mailtpl.php:241
actioninitincludes\class-mailtpl.php:243
actioninitincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:75
filteruser_has_capincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:86
filtercustomize_loaded_componentsincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:89
filtergettextincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:92
actioninitincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:95
filterwpm_customizer_urlincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:98
actionwoomail_footerincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:101
actionwoomail_footerincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:104
actioncustomize_preview_initincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:107
filtermailtpl_woomail_email_typesincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:127
filtermailtpl_woomail_email_type_class_name_arrayincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:136
filtermailtpl_woomail_email_settings_default_valuesincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:145
filteruser_has_capincludes\woocommerce-customizer\class-mailtpl-woomail-customizer.php:263
actioncustomize_registerincludes\woocommerce-customizer\class-mailtpl-woomail-import-export.php:100
actioncustomize_controls_print_scriptsincludes\woocommerce-customizer\class-mailtpl-woomail-import-export.php:101
actionparse_requestincludes\woocommerce-customizer\class-mailtpl-woomail-preview.php:227
filterwoocommerce_email_settingsincludes\woocommerce-customizer\class-mailtpl-woomail-woo.php:48
actionwoocommerce_admin_field_mailtpl_woomail_open_customizer_buttonincludes\woocommerce-customizer\class-mailtpl-woomail-woo.php:51
Maintenance & Trust

Email Templates Customizer and Designer for WordPress and WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version7.1
Downloads587K

Community Trust

Rating92/100
Number of ratings131
Active installs20K
Alternatives

Email Templates Customizer and Designer for WordPress and WooCommerce Alternatives

Advanced Emailing for WooCommerce

Advanced Emailing for WooCommerce

advanced-emailing-for-woocommerce

A
100

Customize your WooCommerce emails or create new one that are sent when a condition is met.

20 No CVEs
YayMail – WooCommerce Email Customizer

YayMail – WooCommerce Email Customizer

yaymail

A
91

Customize WooCommerce email templates with an advanced drag-and-drop email builder. Works great with 80+ WooCommerce Email Customizer Addons.

50K 4 CVEs
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

email-customizer-for-woocommerce

A
98

WooCommerce Email Customizer plugin lets you customize transactional emails using a template builder, adding text, images & more to match your brand

10K 2 CVEs
Email Customizer for WooCommerce – Spark Editor

Email Customizer for WooCommerce – Spark Editor

email-editor-plus

A
100

Best WooCommerce email customizer plugin to create professional, branded email templates with intuitive drag-and-drop email editor.

200 No CVEs
Email customizer and designer for woocommerce

Email customizer and designer for woocommerce

email-customizer-and-designer-for-woocommerce

A
100

If you tired of default email templates of WooCommerce and you are looking for a way to customize WooCommerce emails. Email Customizer for WooCommerce &hellip;

100 No CVEs
Developer Profile

Email Templates Customizer and Designer for WordPress and WooCommerce Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect Email Templates Customizer and Designer for WordPress and WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/email-templates/admin/js/mailtpl-pointer.js
Version Parameters
email-templates/style.css?ver=/wp-content/plugins/email-templates/admin/js/mailtpl-pointer.js?ver=

HTML / DOM Fingerprints

CSS Classes
mailtpl_template_previewmailtpl-colorpicker-wrapmailtpl_editor_sectionmailtpl-element-editor
HTML Comments
If you have the Post SMTP plugin installed and active, you can integrate with it.We need to hook into edd_email_send_before to change get_template to 'none' before it sends so we don't loose formattingWe change edd_template as we are using an html template to avoid all the get_template_parts that are taken c
Data Attributes
data-mailtpl-elementdata-mailtpl-fielddata-mailtpl-template-iddata-mailtpl-field-type
JS Globals
mailtpl_pointermailtpl_editor_settingsmailtpl_template_preview_datamailtpl_customizer_data
REST Endpoints
/wp-json/mailtpl/v1/templates/wp-json/mailtpl/v1/save_template
FAQ

Frequently Asked Questions about Email Templates Customizer and Designer for WordPress and WooCommerce