WP-Safety

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Security & Risk Analysis

wordpress.org/plugins/emails-for-woocommerce

Design emails, send targeted campaigns, automate workflows, and manage WordPress system & WooCommerce emails — all directly from your dashboard.

60 active installs v1.2.0 PHP 7.2+ WP 5.2+ Updated Mar 8, 2026
campaignsemail-marketingnewsletterwoocommerce-emailwordpress-email
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Safe to Use in 2026?

Generally Safe

Score 100/100

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 27d ago
Risk Assessment

The 'emails-for-woocommerce' plugin v1.2.1 exhibits a mixed security posture. While the absence of known CVEs and a low percentage of raw SQL queries are positive indicators, significant concerns arise from its attack surface and taint analysis. The presence of unprotected AJAX handlers and REST API routes presents a substantial risk for unauthorized actions or data manipulation. Specifically, four out of six total entry points lack proper authentication or permission checks, making them prime targets for exploitation.

Taint analysis reveals two high-severity flows with unsanitized paths, indicating potential vulnerabilities where user-supplied data could be used maliciously without proper validation or sanitization. These flows, coupled with the unprotected entry points, suggest a risk of code injection or data compromise. The plugin's vulnerability history is clean, which is a positive sign, but it cannot offset the immediate risks identified in the static and taint analysis. Therefore, while the plugin has some good security practices like prepared statements and decent output escaping, the unprotected entry points and high-severity taint flows necessitate immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • High severity taint flows
  • Large attack surface without auth
Vulnerabilities
None known

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
58 prepared
Unescaped Output
27
161 escaped
Nonce Checks
7
Capability Checks
10
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

88% prepared66 total queries

Output Escaping

86% escaped188 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

9 flows5 with unsanitized paths
save_settings (src\API\Settings.php:166)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 2

authwp_ajax_virfice_dismiss_noticesrc\AdminNotice.php:25
authwp_ajax_virfice_save_feedbacksrc\UninstallHook.php:31

REST API Routes 3

GET/wp-json/email-tracker/v1/opensrc\API\TrackingEmail.php:26
GET/wp-json/email-tracker/v1/clicksrc\API\TrackingEmail.php:32
GET/wp-json/email-tracker/v1/unsubscribesrc\API\TrackingEmail.php:38

Shortcodes 1

[virfice_form] src\Campaign\Form.php:254
WordPress Hooks 32
actionadmin_noticessrc\AdminNotice.php:23
actionadmin_footersrc\AdminNotice.php:24
actionrest_api_initsrc\API\API.php:22
actionrest_api_initsrc\API\TrackingEmail.php:18
actionwpsrc\Campaign\Form.php:30
filtercron_schedulessrc\Cron.php:28
actionphpmailer_initsrc\CustomSMTP.php:21
actionadmin_menusrc\Dashboard.php:24
actionadmin_enqueue_scriptssrc\Dashboard.php:30
actionadmin_print_stylessrc\Dashboard.php:31
actionadmin_headsrc\Dashboard.php:35
actionadmin_footersrc\Dashboard.php:36
actioninitsrc\InitTask.php:29
actionadmin_enqueue_scriptssrc\UninstallHook.php:20
filterwoocommerce_email_setting_columnssrc\WooEmailEditWithButton.php:21
actionwoocommerce_email_setting_column_previewsrc\WooEmailEditWithButton.php:22
actionadmin_enqueue_scriptssrc\WooEmailEditWithButton.php:25
actioninitsrc\WooEmailHooks.php:25
filterwp_new_user_notification_emailsrc\WooEmailHooks.php:28
filterwoocommerce_email_customer_new_accountsrc\WooEmailHooks.php:31
filterretrieve_password_messagesrc\WooEmailHooks.php:34
filterretrieve_password_titlesrc\WooEmailHooks.php:35
filterwoocommerce_email_headerssrc\WooEmailHooks.php:38
filterwoocommerce_email_footer_textsrc\WooEmailHooks.php:39
filterwp_mail_content_typesrc\WooEmailHooks.php:41
filterwoocommerce_locate_templatesrc\WooEmailHooks.php:88
actioninitsrc\WooEmailPreview\Route.php:25
actioninitsrc\WooEmailPreview\Route.php:26
filterwoocommerce_email_footer_textsrc\WooEmailPreview\WooEmailPreview.php:68
filterwoocommerce_new_order_email_allows_resendsrc\WooEmailPreview\WooEmailPreview.php:191
filterwp_new_user_notification_emailsrc\WordpressEmailHook.php:23
filterretrieve_password_notification_emailsrc\WordpressEmailHook.php:25
Maintenance & Trust

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 8, 2026
PHP min version7.2
Downloads3K

Community Trust

Rating100/100
Number of ratings4
Active installs60
Alternatives

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

wemail

A
95

Send email newsletters, automate email marketing with email automation, manage subscribers, eCommerce emails, post notifications & optins with ease

10K 6 CVEs
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

mail-mint

A
92

Use Mail Mint, the easiest email marketing automation plugin in WordPress to generate leads, send email campaigns, and run email automation workflows.

6K 8 CVEs
Email Marketing for WordPress and WooCommerce – Retainful

Email Marketing for WordPress and WooCommerce – Retainful

retainful

A
100

Email marketing, newsletters for WordPress and WooCommerce. Send newsletters and campaigns, recover abandoned carts, signup forms, and more

60 No CVEs
Bens Email Marketing & Automation

Bens Email Marketing & Automation

bens-email-marketing-automation

A
100

Fast and simple Email Marketing, Newsletters, Automation & CRM for WordPress.

0 No CVEs
Developer Profile

Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More Developer Profile

Virfice

2 plugins · 70 total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/emails-for-woocommerce/build/index.css/wp-content/plugins/emails-for-woocommerce/build/index.js/wp-content/plugins/emails-for-woocommerce/build/vendors.js
Script Paths
/wp-content/plugins/emails-for-woocommerce/build/index.js/wp-content/plugins/emails-for-woocommerce/build/vendors.js
Version Parameters
/wp-content/plugins/emails-for-woocommerce/build/index.css?ver=/wp-content/plugins/emails-for-woocommerce/build/index.js?ver=/wp-content/plugins/emails-for-woocommerce/build/vendors.js?ver=

HTML / DOM Fingerprints

CSS Classes
virfice-pluginvirfice-dashboardvirfice-campaignsvirfice-formsvirfice-audiencevirfice-email-editorvirfice-analyticsvirfice-settings+2 more
HTML Comments
<!-- Virfice Plugin: Settings --><!-- Virfice Plugin: Scripts --><!-- Virfice Plugin: Styles --><!-- Virfice Plugin: Init -->
Data Attributes
data-virfice-menudata-virfice-pagedata-virfice-component
JS Globals
virficeAppVirfice_ajax_object
REST Endpoints
/wp-json/virfice/v1/settings/wp-json/virfice/v1/campaigns/wp-json/virfice/v1/forms/wp-json/virfice/v1/audience/wp-json/virfice/v1/emails/wp-json/virfice/v1/analytics/wp-json/virfice/v1/brand-settings/wp-json/virfice/v1/upgrade
FAQ

Frequently Asked Questions about Virfice – Self-hosted Email Marketing for WordPress, Newsletter, WooCommerce Emails, Automation, and More