Does ENL Newsletter have any unpatched vulnerabilities?

Yes — ENL Newsletter currently has 4 published unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is ENL Newsletter compatible with WordPress 3.1.4?

According to WordPress.org data, ENL Newsletter 1.0.1 has been tested up to WordPress 3.1.4. Check the plugin's changelog for the latest compatibility information.

How often is ENL Newsletter updated?

ENL Newsletter was last updated on Jan 7, 2012. Frequent updates are generally a positive security signal.

What is ENL Newsletter's security score?

ENL Newsletter has a WP-Safety security score of 29/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ENL Newsletter Security & Risk Analysis

wordpress.org/plugins/enl-newsletter

Easy to create multiple newsletters containing the blog latest posts.

10 active installs v1.0.1 PHP + WP 3.0.1+ Updated Jan 7, 2012

categorieslatest-postsmultiplenewsletterschedule

F · Critical Risk

CVEs total4

Unpatched4

Last CVEApr 26, 2024

Plugin page Download

Safety Verdict

Is ENL Newsletter Safe to Use in 2026?

Critical Risk — Avoid

Score 29/100

ENL Newsletter is critically unsafe with 4 known CVEs, 4 still unpatched. Avoid in production.

4 known CVEs 4 unpatched Last CVE: Apr 26, 2024Updated 14yr ago

Risk Assessment

The 'enl-newsletter' plugin version 1.0.1 exhibits a concerning security posture, primarily due to a significant history of vulnerabilities and several red flags in the static analysis. While the plugin presents a relatively small attack surface with no apparent unprotected AJAX handlers, REST API routes, or shortcodes, the presence of the `create_function` dangerous function and a high percentage of unsanitized paths in taint analysis are critical concerns. The output escaping is also severely lacking, with only 17% of outputs properly escaped, indicating a high risk of cross-site scripting (XSS) vulnerabilities.

The plugin's vulnerability history is particularly alarming, with four known CVEs, all of which remain unpatched, including a critical SQL injection and a CSRF vulnerability. This pattern of recurring and unaddressed vulnerabilities suggests a lack of commitment to secure coding practices and timely patching within the plugin's development. The existence of multiple critical and high-severity issues in past CVEs further amplifies the risk.

In conclusion, despite a seemingly limited direct attack surface, the 'enl-newsletter' plugin should be approached with extreme caution. The combination of poor output escaping, dangerous function usage, extensive unsanitized data flows, and a history of unpatched critical vulnerabilities makes it a significant security risk. Users are strongly advised to deactivate and seek alternative solutions until these issues are thoroughly addressed and verified.

Key Concerns

Unpatched Critical CVE
Unpatched High CVE
Unpatched Medium CVE (x2)
High severity taint flows (x9)
Dangerous function: create_function
Low output escaping percentage (17%)
Unsanitized paths in taint analysis (11/11)
No nonce checks
No capability checks

Vulnerabilities

4 published

ENL Newsletter Security Vulnerabilities

CVEs by Year

1 CVE in 2014 · unpatched

2014

3 CVEs in 2024 · unpatched

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

4 total CVEs

CVE-2024-3060critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ENL Newsletter <= 1.0.1 - Authenticated (Admin+) SQL Injection

Apr 26, 2024Unpatched

CVE-2024-3059medium · 4.3Cross-Site Request Forgery (CSRF)

ENL Newsletter <= 1.0.1 - Cross-Site Request Forgery to Campaign Deletion

Apr 5, 2024Unpatched

CVE-2024-3058medium · 6.1Cross-Site Request Forgery (CSRF)

ENL Newsletter <= 1.0.1 - Cross-Site Request Forgery

Apr 5, 2024Unpatched

CVE-2014-4939high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ENL Newsletter <= 1.0.1 - Authenticated (Admin+) SQL Injection

May 28, 2014Unpatched

Version History

ENL Newsletter Release Timeline

v1.0.04 CVEs

CVE-2024-3060 CVE-2014-4939 CVE-2024-3059 +1 more

Code Analysis

Analyzed Mar 17, 2026

ENL Newsletter Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter('wp_mail_content_type',create_function('', 'return "text/html";'));enl_newsletter.php:155

SQL Query Safety

81% prepared16 total queries

Output Escaping

17% escaped24 total outputs

Data Flows · Security

11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths

enl_newsletter_campaigns_page (admin\pages.php:67)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

ENL Newsletter Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 13

actioninitadmin\admin.php:11

actionadmin_menuadmin\admin.php:15

actionadmin_initadmin\admin.php:16

actionadmin_initadmin\admin.php:17

actionadmin_initadmin\admin.php:18

actionplugins_loadedenl_newsletter.php:17

filtercron_schedulesenl_newsletter.php:19

actionenl_newsletter_cronenl_newsletter.php:21

actionwp_print_stylesenl_newsletter.php:145

actionwp_print_scriptsenl_newsletter.php:148

actionwidgets_initenl_newsletter.php:151

actioninitenl_newsletter.php:152

filterwp_mail_content_typeenl_newsletter.php:155

Scheduled Events 1

enl_newsletter_cron

Maintenance & Trust

ENL Newsletter Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4

Last updatedJan 7, 2012

PHP min version

Downloads6K

Community Trust

Rating80/100

Number of ratings1

Active installs10

Alternatives

ENL Newsletter Alternatives

Bulk Term Generator – Import multiple tags, categories, and taxonomies easily

bulk-term-generator

Streamline taxonomy management in WordPress with Bulk Term Generator, your free tool for easy, bulk term importing.

2K No CVEs

Weekly Schedule

weekly-schedule

The purpose of this plugin is to allow users to create a schedule of weekly events and display that schedule on a page in a table form.

200 1 CVE

Simple Category Posts

simple-seo-categories-posts

A plugin to display posts in a widget with title, thumb, excerpt, date and author.

100 No CVEs

Polylang Category Creator

polylang-category-creator

Polylang extension to create categories for all languages in one page. It detects your languages and taxonomies to get things done easier.

80 No CVEs

Archive Post Order Plus

archive-post-order-plus

100

A plugin that sets the display order of posts. 投稿の表示順を設定するプラグイン。

10 No CVEs

Developer Profile

ENL Newsletter Developer Profile

wphobby

16 plugins · 220 total installs

trust score

Avg Security Score

88/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ENL Newsletter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/enl-newsletter/css/style.css/wp-content/plugins/enl-newsletter/js/script.js

Script Paths

/wp-content/plugins/enl-newsletter/js/script.js

Version Parameters

enl-newsletter/css/style.css?ver=enl-newsletter/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

enl_form

Data Attributes

data-enl-id

FAQ