Does EmailKit – Email Customizer for WooCommerce & WP have any unpatched vulnerabilities?

No. All known vulnerabilities in EmailKit – Email Customizer for WooCommerce & WP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is EmailKit – Email Customizer for WooCommerce & WP compatible with WordPress 6.9.4?

According to WordPress.org data, EmailKit – Email Customizer for WooCommerce & WP 1.6.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is EmailKit – Email Customizer for WooCommerce & WP compatible with PHP 7.4+?

EmailKit – Email Customizer for WooCommerce & WP requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is EmailKit – Email Customizer for WooCommerce & WP's security score?

EmailKit – Email Customizer for WooCommerce & WP has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

EmailKit – Email Customizer for WooCommerce & WP Security & Risk Analysis

wordpress.org/plugins/emailkit

EmailKit is a powerful WordPress and WooCommerce email customizer tool, free for everyone! It allows users to customize and design templates that show …

70K active installs v1.6.3 PHP 7.4+ WP 5.0+ Updated Feb 9, 2026

email-templatewoocommerce-email-customizerwoocommerce-email-template-customizerwordpress-email-builderwordpress-email-customizer

A · Safe

CVEs total3

Unpatched0

Last CVEFeb 17, 2026

Plugin page Download

Safety Verdict

Is EmailKit – Email Customizer for WooCommerce & WP Safe to Use in 2026?

Generally Safe

Score 96/100

EmailKit – Email Customizer for WooCommerce & WP has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago

Risk Assessment

The "emailkit" v1.6.3 plugin exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. The presence of unprotected AJAX handlers and REST API routes without permission callbacks represents a substantial risk of unauthorized access and potential data manipulation. The absence of taint analysis results suggests that while static analysis did not reveal obvious direct vulnerabilities, the lack of authorization checks on numerous entry points remains a critical area of concern.

The plugin's vulnerability history, with three past medium-severity CVEs, including "External Control of File Name or Path" and "Missing Authorization," directly correlates with the identified weaknesses in the static analysis. The fact that these vulnerabilities are marked as currently unpatched is a significant red flag, indicating a persistent lack of attention to critical security flaws. While the plugin benefits from proper SQL handling and output escaping, the numerous unprotected entry points and the history of authorization-related vulnerabilities suggest a need for immediate attention to secure these pathways and address any outstanding CVEs.

In conclusion, "emailkit" v1.6.3 has several strengths, notably in its database and output handling. However, these are overshadowed by critical weaknesses in its attack surface management, specifically the numerous unprotected AJAX and REST API endpoints. The historical trend of medium-severity vulnerabilities, particularly those related to authorization and file path control, combined with the current lack of patching, presents a moderate to high risk to WordPress sites using this plugin. It is recommended that users exercise caution and consider alternatives or ensure that the plugin is updated with security patches if available.

Key Concerns

Unprotected AJAX handlers
REST API routes without permission callbacks
Vulnerability history (3 medium CVEs)
Bundled libraries (Select2 - potential for unpatched issues)

Vulnerabilities

EmailKit – Email Customizer for WooCommerce & WP Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

2 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2026-1925medium · 4.3Missing Authorization

EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification

Feb 17, 2026 Patched in 1.6.3 (1d)

CVE-2025-14059medium · 6.5External Control of File Name or Path

EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal

Jan 6, 2026 Patched in 1.6.2 (1d)

CVE-2025-60106medium · 4.3Missing Authorization

EmailKit <= 1.6.0 - Missing Authorization to Authenticated (Author+) Arbitrary Content Deletion

Sep 26, 2025 Patched in 1.6.1 (13d)

Code Analysis

Analyzed Mar 16, 2026

EmailKit – Email Customizer for WooCommerce & WP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

604 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

Output Escaping

92% escaped660 total outputs

Attack Surface

9 unprotected

EmailKit – Email Customizer for WooCommerce & WP Attack Surface

Entry Points17

Unprotected9

AJAX Handlers 7

authwp_ajax_emailkit_get_email_template_typeincludes\Admin\EmailKitAjax.php:14

authwp_ajax_emailkit_template_dataincludes\Admin\EmailKitAjax.php:15

authwp_ajax_emailkit_update_template_dataincludes\Admin\EmailKitAjax.php:16

authwp_ajax_emailkit_filter_save_as_templateincludes\Admin\EmailKitAjax.php:17

authwp_ajax_emailkit-noticesincludes\Admin\Emails\Helpers\Notice\Notice.php:18

authwp_ajax_emailkit_admin_actionPromotional\Onboard\Classes\Ajax.php:14

authwp_ajax_emailkit_copy_paste_actionPromotional\Onboard\Classes\Ajax.php:15

REST API Routes 10

GET/wp-json/emailkit/v1check-templateincludes\Admin\Api\CheckForm.php:16

POST/wp-json/emailkit/v1create-templateincludes\Admin\Api\CheckForm.php:25

GET/wp-json/emailkit/v1fetch-dataincludes\Admin\Api\FetchData.php:20

GET/wp-json/emailkit/v1last-order-itemincludes\Admin\Api\OrderItem.php:16

GET/wp-json/emailkit/v1order-dataincludes\Admin\Api\ShortCodeData.php:23

GET/wp-json/emailkit/v1template-dataincludes\Admin\Api\TemplateData.php:16

POST/wp-json/emailkit/v1template-statusincludes\Admin\Api\TemplateStatus.php:12

GET/wp-json/emailkit/v1template-types-data/(?P<template_type>\w+)includes\Admin\Api\TemplateTypesData.php:18

GET/wp-json/emailkit/v1send-test-emailincludes\Admin\Api\TestEmail.php:15

GET/wp-json/emailkit/v1/update-data(?P<post_id>\d+)includes\Admin\Api\UpdateData.php:21

WordPress Hooks 94

actionplugins_loadedEmailKit.php:42

actionadmin_enqueue_scriptsEmailKit.php:43

actionrest_api_initincludes\Admin\Api\CheckForm.php:14

actionrest_api_initincludes\Admin\Api\FetchData.php:19

actionrest_api_initincludes\Admin\Api\OrderItem.php:15

actionrest_api_initincludes\Admin\Api\ShortCodeData.php:22

actionrest_api_initincludes\Admin\Api\TemplateData.php:15

actionrest_api_initincludes\Admin\Api\TemplateStatus.php:11

actionrest_api_initincludes\Admin\Api\TemplateTypesData.php:17

actionrest_api_initincludes\Admin\Api\TestEmail.php:14

actionrest_api_initincludes\Admin\Api\UpdateData.php:20

actionbefore_emailkit_asset_loadincludes\Admin\AssetConflictManager.php:19

actioninitincludes\Admin\AssetsLoader.php:13

actionadmin_enqueue_scriptsincludes\Admin\AssetsLoader.php:14

actioninitincludes\Admin\CPT.php:12

actioninitincludes\Admin\CPT.php:13

actionadmin_menuincludes\Admin\CPT.php:14

filterwp_untrash_post_statusincludes\Admin\CPT.php:15

actioninitincludes\Admin\EmailKitEditor\EmailKitEditorInit.php:30

actionwp_loadedincludes\Admin\EmailKitEditor\EmailKitEditorInit.php:39

filteremailkit_shortcode_filterincludes\Admin\EmailKitHooks.php:12

actionphpmailer_initincludes\Admin\Emails\EmailConfig.php:11

actionadmin_footerincludes\Admin\Emails\Helpers\Notice\Notice.php:17

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\BackOrder.php:33

filterwoocommerce_product_on_backorder_notificationincludes\Admin\Emails\Woocommerce\BackOrder.php:36

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\CancelledOrder.php:34

filterwoocommerce_order_status_processing_to_cancelled_notificationincludes\Admin\Emails\Woocommerce\CancelledOrder.php:37

filterwoocommerce_order_status_on-hold_to_cancelled_notificationincludes\Admin\Emails\Woocommerce\CancelledOrder.php:38

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\CompletedOrder.php:36

filterwoocommerce_order_status_completed_notificationincludes\Admin\Emails\Woocommerce\CompletedOrder.php:39

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\CustomerNote.php:36

filterwoocommerce_new_customer_note_notificationincludes\Admin\Emails\Woocommerce\CustomerNote.php:39

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\FailedOrder.php:38

filterwoocommerce_order_status_pending_to_failed_notificationincludes\Admin\Emails\Woocommerce\FailedOrder.php:41

filterwoocommerce_order_status_on-hold_to_failed_notificationincludes\Admin\Emails\Woocommerce\FailedOrder.php:42

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\FailedOrderCustomer.php:36

filterwoocommerce_order_status_failed_notificationincludes\Admin\Emails\Woocommerce\FailedOrderCustomer.php:39

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\InvoiceOrder.php:37

filterwoocommerce_email_recipient_customer_invoiceincludes\Admin\Emails\Woocommerce\InvoiceOrder.php:40

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\LowStock.php:35

filterwoocommerce_low_stock_notificationincludes\Admin\Emails\Woocommerce\LowStock.php:38

filterwoocommerce_email_enabled_customer_new_accountincludes\Admin\Emails\Woocommerce\NewAccount.php:45

filterwoocommerce_created_customer_notificationincludes\Admin\Emails\Woocommerce\NewAccount.php:48

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\NewOrder.php:35

filterwoocommerce_order_status_pending_to_processing_notificationincludes\Admin\Emails\Woocommerce\NewOrder.php:38

filterwoocommerce_order_status_pending_to_on-hold_notificationincludes\Admin\Emails\Woocommerce\NewOrder.php:39

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\NoStock.php:35

filterwoocommerce_no_stock_notificationincludes\Admin\Emails\Woocommerce\NoStock.php:38

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\OrderOnHold.php:35

filterwoocommerce_order_status_pending_to_on-hold_notificationincludes\Admin\Emails\Woocommerce\OrderOnHold.php:39

filterwoocommerce_order_status_failed_to_on-hold_notificationincludes\Admin\Emails\Woocommerce\OrderOnHold.php:40

filterwoocommerce_order_status_cancelled_to_on-hold_notificationincludes\Admin\Emails\Woocommerce\OrderOnHold.php:41

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\PartialRefund.php:41

filterwoocommerce_order_partially_refundedincludes\Admin\Emails\Woocommerce\PartialRefund.php:44

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\ProcessingOrder.php:36

filterwoocommerce_order_status_pending_to_processing_notificationincludes\Admin\Emails\Woocommerce\ProcessingOrder.php:39

filterwoocommerce_order_status_cancelled_to_processing_notificationincludes\Admin\Emails\Woocommerce\ProcessingOrder.php:40

filterwoocommerce_order_status_failed_to_processing_notificationincludes\Admin\Emails\Woocommerce\ProcessingOrder.php:41

filterwoocommerce_order_status_on-hold_to_processing_notificationincludes\Admin\Emails\Woocommerce\ProcessingOrder.php:42

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\RefundOrder.php:36

filterwoocommerce_order_status_refundedincludes\Admin\Emails\Woocommerce\RefundOrder.php:40

actionwoocommerce_emailincludes\Admin\Emails\Woocommerce\ResetPassword.php:41

filterwoocommerce_reset_password_notificationincludes\Admin\Emails\Woocommerce\ResetPassword.php:44

filterwp_new_user_notification_emailincludes\Admin\Emails\WordPress\NewUserRegister.php:34

filterretrieve_password_messageincludes\Admin\Emails\WordPress\ResetAccount.php:33

actionafter_confirmation_mail_to_user_switchincludes\Admin\EmailSettings\MetformEmailSettings.php:17

actionadmin_enqueue_scriptsincludes\Admin\EmailSettings\MetformEmailSettings.php:18

filtermetform_confirmation_user_email_bodyincludes\Admin\EmailSettings\MetformEmailSettings.php:19

filtermetform_confirmation_user_email_bodyincludes\Admin\EmailSettings\MetformShortcodes.php:31

filterwoocommerce_email_setting_columnsincludes\Admin\EmailSettings\WcEmailSettings.php:16

actionwoocommerce_email_setting_column_templateincludes\Admin\EmailSettings\WcEmailSettings.php:17

actionadmin_enqueue_scriptsincludes\Admin\EmailSettings\WcEmailSettings.php:18

filtermanage_emailkit_posts_columnsincludes\Admin\Hooks.php:14

actionmanage_emailkit_posts_custom_columnincludes\Admin\Hooks.php:15

actionadmin_initincludes\Admin\Hooks.php:16

actionadmin_footerincludes\Admin\Hooks.php:17

filteremailkit_shortcode_filterincludes\Admin\Hooks.php:18

filterpost_row_actionsincludes\Admin\Hooks.php:19

filteremailkit_shortcode_filterincludes\Admin\Hooks.php:20

actionadd_meta_boxesincludes\Admin\MetaBox.php:36

actionsave_postincludes\Admin\MetaBox.php:37

actioninitincludes\Admin\MetaField\StyleLoad.php:16

actionwp_enqueue_scriptsincludes\Admin\MetaField\StyleLoad.php:17

actionwp_print_stylesincludes\Admin\MetaField\StyleLoad.php:107

actionwp_print_stylesincludes\Admin\MetaField\StyleLoad.php:122

actionadmin_menuincludes\Admin.php:25

actionadmin_menuincludes\Admin.php:26

actionadmin_headPromotional\MetformPromoBanner\MetformPromoBanner.php:84

actionadmin_enqueue_scriptsPromotional\Onboard\Attr.php:28

actionemailkit/admin/after_savePromotional\Onboard\Onboard.php:54

filterplugin_row_metaPromotional\ProAwareness\ProAwareness.php:462

actionadmin_headPromotional\ProAwareness\ProAwareness.php:472

actionadmin_menuPromotional\ProAwareness\ProAwareness.php:476

actionemailkit-settingsPromotional\Promotional.php:252

Maintenance & Trust

EmailKit – Email Customizer for WooCommerce & WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 9, 2026

PHP min version7.4

Downloads327K

Community Trust

Rating92/100

Number of ratings11

Active installs70K

Alternatives

EmailKit – Email Customizer for WooCommerce & WP Alternatives

YayMail – WooCommerce Email Customizer

yaymail

Customize WooCommerce email templates with an advanced drag-and-drop email builder. Works great with 80+ WooCommerce Email Customizer Addons.

50K 4 CVEs

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

email-customizer-for-woocommerce

WooCommerce Email Customizer plugin lets you customize transactional emails using a template builder, adding text, images & more to match your brand

10K 2 CVEs

Email customizer and designer for woocommerce

email-customizer-and-designer-for-woocommerce

100

If you tired of default email templates of WooCommerce and you are looking for a way to customize WooCommerce emails. Email Customizer for WooCommerce …

100 No CVEs

Kadence WooCommerce Email Designer

kadence-woocommerce-email-designer

Customize the default WooCommerce email templates design and text through the native WordPress customizer. Preview emails and send test emails.

100K 5 CVEs

Email Template Customizer for WooCommerce

email-template-customizer-for-woo

Make your WooCommerce emails become professional.

20K 2 CVEs

Developer Profile

EmailKit – Email Customizer for WooCommerce & WP Developer Profile

Roxnor

15 plugins · 3.0M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

118 days

View full developer profile

Detection Fingerprints

How We Detect EmailKit – Email Customizer for WooCommerce & WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/emailkit/assets/admin/css/emailkit-global.css/wp-content/plugins/emailkit/assets/admin/js/Status.js/wp-content/plugins/emailkit/assets/admin/css/status.css/wp-content/plugins/emailkit/assets/admin/css/popup.css/wp-content/plugins/emailkit/assets/admin/js/popup.js/wp-content/plugins/emailkit/assets/admin/css/ui.min.css/wp-content/plugins/emailkit/assets/admin/js/ui.min.js/wp-content/plugins/emailkit/assets/admin/css/select2.min.css+3 more

Script Paths

/wp-content/plugins/emailkit/assets/admin/js/Status.js/wp-content/plugins/emailkit/assets/admin/js/popup.js/wp-content/plugins/emailkit/assets/admin/js/ui.min.js/wp-content/plugins/emailkit/assets/admin/js/select2.min.js/wp-content/plugins/emailkit/assets/admin/EmailSettings/MFintegration.js

Version Parameters

emailkit/assets/admin/css/emailkit-global.css?ver=emailkit/assets/admin/js/Status.js?ver=emailkit/assets/admin/css/status.css?ver=emailkit/assets/admin/css/popup.css?ver=emailkit/assets/admin/js/popup.js?ver=emailkit/assets/admin/css/ui.min.css?ver=emailkit/assets/admin/js/ui.min.js?ver=emailkit/assets/admin/css/select2.min.css?ver=emailkit/assets/admin/js/select2.min.js?ver=emailkit/assets/admin/css/pro-popup.css?ver=emailkit/assets/admin/EmailSettings/MFintegration.js?ver=

HTML / DOM Fingerprints

JS Globals

window.emailkitwindow.metform

REST Endpoints

/wp-json/emailkit/v1/

FAQ