Does Email Tracker have any unpatched vulnerabilities?

No. All known vulnerabilities in Email Tracker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Email Tracker compatible with WordPress 6.9.4?

According to WordPress.org data, Email Tracker 5.3.16 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Email Tracker compatible with PHP 7.2+?

Email Tracker requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Email Tracker updated?

Email Tracker was last updated on Dec 11, 2025. Frequent updates are generally a positive security signal.

What is Email Tracker's security score?

Email Tracker has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Email Tracker Security & Risk Analysis

wordpress.org/plugins/email-tracker

Email tracking & email logging plugin. Track email opens, email clicks & email analytics for all WordPress emails, WooCommerce emails & SMTP emails.

800 active installs v5.3.16 PHP 7.2+ WP 5.6.0+ Updated Dec 11, 2025

emailemail-analyticsemail-logemail-trackingemails

A · Safe

CVEs total3

Unpatched0

Last CVEOct 21, 2025

Plugin page Download

Safety Verdict

Is Email Tracker Safe to Use in 2026?

Generally Safe

Score 96/100

Email Tracker has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 21, 2025Updated 3mo ago

Risk Assessment

The "email-tracker" plugin version 5.3.16 presents a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no unprotected entry points. The code demonstrates strong adherence to secure coding practices, with a high percentage of SQL queries using prepared statements and an overwhelming majority of output being properly escaped. Nonce and capability checks are present, further bolstering its defenses against common web vulnerabilities. Furthermore, the absence of direct external HTTP requests and taint analysis showing no unsanitized paths or critical/high severity flows are encouraging signs of robust security measures within the current codebase.

However, a significant concern arises from the plugin's vulnerability history. The presence of three known medium-severity CVEs, including SQL Injection, Cross-site Scripting, and CSRF, indicates past weaknesses that, while currently unpatched in the provided data, point to potential recurring issues. The nature of these past vulnerabilities suggests that input validation and output sanitization, despite appearing strong in the current static analysis, may have been insufficient in previous versions, potentially requiring ongoing vigilance. The bundled Freemius library at version 1.0 also warrants attention, as outdated bundled libraries can introduce unpatched vulnerabilities if not regularly updated.

Key Concerns

Medium severity CVEs in history (3)
Bundled outdated library (Freemius v1.0)

Vulnerabilities

Email Tracker Security Vulnerabilities

CVEs by Year

2 CVEs in 2021

2021

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-10047medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Email Tracker <= 5.3.15 - Authenticated (Admin+) SQL Injection

Oct 21, 2025 Patched in 5.3.16 (52d)

WF-1dc733ec-6cc8-40fc-b4c4-1fad4bcd9f21-email-trackermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce) < 5.2.6 - Reflected Cross-Site Scripting

Nov 3, 2021 Patched in 5.2.6 (811d)

CVE-2021-44777medium · 5.4Cross-Site Request Forgery (CSRF)

Email Tracker <= 5.2.6 - Cross-Site Request Forgery

Nov 1, 2021 Patched in 5.2.7 (812d)

Code Analysis

Analyzed Mar 16, 2026

Email Tracker Code Analysis

Dangerous Functions

Raw SQL Queries

38 prepared

Unescaped Output

41 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

81% prepared47 total queries

Output Escaping

98% escaped42 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

prepare_items (src\admin\email-list\class-table.php:323)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Email Tracker Attack Surface

Entry Points1

Unprotected0

REST API Routes 1

GET/wp-json/email-tracker/v1email/(?P<id>[\d]+)src\admin\email-list\class-setup.php:156

WordPress Hooks 17

actionadmin_initemail-tracker-main.php:31

actionafter_uninstallemail-tracker-main.php:90

filterwp_mailemail-tracker-main.php:160

filterpre_wp_mailemail-tracker-main.php:200

filterwp_mail_content_typeemail-tracker-main.php:209

actiongenerate_rewrite_rulesemail-tracker-main.php:228

filterquery_varsemail-tracker-main.php:236

actionparse_requestemail-tracker-main.php:237

actionphpmailer_initemail-tracker-main.php:266

actionadmin_menuet-admin.php:25

actionadmin_enqueue_scriptset-admin.php:180

actioninitet-admin.php:195

actioninitsrc\admin\email-list\class-setup.php:27

actionadmin_enqueue_scriptssrc\admin\email-list\class-setup.php:28

actionrest_api_initsrc\admin\email-list\class-setup.php:34

actionadmin_menusrc\admin\email-list\class-setup.php:46

filterset-screen-optionsrc\admin\email-list\class-setup.php:105

Maintenance & Trust

Email Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 11, 2025

PHP min version7.2

Downloads27K

Community Trust

Rating88/100

Number of ratings21

Active installs800

Alternatives

Email Tracker Alternatives

Emails Catch All

emails-catch-all

Log all emails send through your WordPress website, edit SMTP settings, change/add recipients, or disable outgoing emails.

600 1 CVE

Automatic Email Testing With Telegram Alerts

automatic-email-testing-with-telegram-alerts

100

Receive Telegram alerts for email service failures and log results. Admins can send manual tests and get instant notifications 100% FREE.

0 No CVEs

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

wp-mail-smtp

Make email delivery easy for WordPress. Connect with SMTP, Gmail, Outlook, SendGrid, Mailgun, SES, Zoho, + more. Rated #1 WordPress SMTP Email plugin.

4.0M 2 CVEs

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

easy-wp-smtp

Make SMTP email sending and delivery easy. Configure Gmail, Outlook, Brevo, SendGrid, Mailgun, SendLayer or connect to any SMTP server.

500K 8 CVEs

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Developer Profile

Email Tracker Developer Profile

Prashant Baldha

7 plugins · 970 total installs

trust score

Avg Security Score

89/100

Avg Patch Time

558 days

View full developer profile

Detection Fingerprints

How We Detect Email Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/email-tracker/src/assets/css/style.css/wp-content/plugins/email-tracker/src/assets/js/email-tracker.js

Script Paths

/wp-content/plugins/email-tracker/src/assets/js/email-tracker.js

Version Parameters

email-tracker/src/assets/css/style.css?ver=email-tracker/src/assets/js/email-tracker.js?ver=

HTML / DOM Fingerprints

HTML Comments

DO NOT REMOVE THIS IF, IT IS ESSENTIAL FOR THE `function_exists` CALL ABOVE TO PROPERLY WORK.

Data Attributes

data-email-tracker-id

JS Globals

emailTracker

FAQ