WP-Safety

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Security & Risk Analysis

wordpress.org/plugins/fluent-smtp

The Ultimate Forever Free Mail SMTP Plugin for WordPress. Connect with any SMTP, SendGrid, Mailgun, Amazon SES, Brevo, Postmark, Sparkpost, Google...

500K active installs v2.2.95 PHP 7.4+ WP 5.5+ Updated Dec 28, 2025
amazon-sesmailmail-smtpsmtpwordpress-mail-smtp
93
A · Safe
CVEs total5
Unpatched0
Last CVEJan 24, 2025
Plugin page Download
Safety Verdict

Is FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Safe to Use in 2026?

Generally Safe

Score 93/100

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 24, 2025Updated 3mo ago
Risk Assessment

The plugin 'fluent-smtp' v2.2.95 exhibits a mixed security posture. While it demonstrates good practices in using prepared statements for a high percentage of SQL queries and properly escaping a significant portion of its output, there are notable areas of concern. The presence of an unprotected AJAX handler is a significant risk, providing an easily accessible entry point for attackers. Furthermore, the use of the `unserialize` function, even without evident taint flows in this specific static analysis, historically represents a critical vulnerability class if not handled with extreme care regarding input sources. The plugin's vulnerability history is a substantial red flag, with a notable number of past CVEs across all severity levels, including a past critical vulnerability. This pattern suggests a recurring tendency to introduce security flaws, and the fact that the last reported vulnerability was relatively recent in 2025 indicates ongoing security challenges. Despite its strengths in data handling, the unprotected entry points and historical vulnerability trends necessitate caution.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous function: unserialize
  • Past critical vulnerability
  • Past high severity vulnerability
  • Past medium severity vulnerability (x2)
  • Past low severity vulnerability
  • Bundled library: PHPMailer
Vulnerabilities
5

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
2
Low
1

5 total CVEs

CVE-2025-24739medium · 4.3Cross-Site Request Forgery (CSRF)

FluentSMTP <= 2.2.80 - Cross-Site Request Forgery

Jan 24, 2025 Patched in 2.2.81 (5d)
CVE-2024-9511critical · 9.8Deserialization of Untrusted Data

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider <= 2.2.82 - Unauthenticated PHP Object Injection

Nov 22, 2024 Patched in 2.2.83 (1d)
CVE-2023-3087high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FluentSMTP <= 2.2.4 - Unauthenticated Stored Cross-Site Scripting via Email Subject

Jul 6, 2023 Patched in 2.2.5 (201d)
CVE-2023-0219low · 3.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FluentSMTP <= 2.2.2 - Authenticated (Author+) Stored Cross-Site Scripting via Email Logs

Mar 3, 2023 Patched in 2.2.3 (326d)
CVE-2021-24528medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FluentSMTP <= 2.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 29, 2021 Patched in 2.0.1 (908d)
Code Analysis
Analyzed Mar 16, 2026

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Code Analysis

Dangerous Functions
2
Raw SQL Queries
7
24 prepared
Unescaped Output
8
127 escaped
Nonce Checks
3
Capability Checks
7
File Operations
19
External Requests
26
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize(trim($data), ['allowed_classes' => false]);app\Models\Logger.php:204
unserializereturn unserialize(trim($data), ['allowed_classes' => false]);app\Services\NotificationHelper.php:475

Bundled Libraries

PHPMailer

SQL Query Safety

77% prepared31 total queries

Output Escaping

94% escaped135 total outputs
Attack Surface
1 unprotected

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_fluent_smtp_get_dashboard_htmlapp\Hooks\Handlers\AdminMenuHandler.php:91

REST API Routes 1

GET/wp-json/fluent-smtp/outlook_callback/app\Hooks\Handlers\ActionsRegistrar.php:110
WordPress Hooks 23
actionadmin_noticesapp\Functions\helpers.php:880
filterfluent_crm/quick_linksapp\Hooks\filters.php:4
actionadmin_menuapp\Hooks\Handlers\AdminMenuHandler.php:25
actionadmin_enqueue_scriptsapp\Hooks\Handlers\AdminMenuHandler.php:28
actionadmin_initapp\Hooks\Handlers\AdminMenuHandler.php:31
actionadmin_bar_menuapp\Hooks\Handlers\AdminMenuHandler.php:57
actionadmin_initapp\Hooks\Handlers\AdminMenuHandler.php:59
actioninstall_plugins_table_headerapp\Hooks\Handlers\AdminMenuHandler.php:61
actionwp_print_scriptsapp\Hooks\Handlers\AdminMenuHandler.php:135
filteradmin_footer_textapp\Hooks\Handlers\AdminMenuHandler.php:230
actionwp_dashboard_setupapp\Hooks\Handlers\AdminMenuHandler.php:344
actionadmin_footerapp\Hooks\Handlers\AdminMenuHandler.php:371
actionwp_initialize_siteapp\Hooks\Handlers\InitializeSiteHandler.php:9
filterfluentmail_email_sending_failedapp\Hooks\Handlers\SchedulerHandler.php:18
actionfluentsmtp_renew_gmail_tokenapp\Hooks\Handlers\SchedulerHandler.php:20
actionfluentmail_email_sending_failed_no_fallbackapp\Hooks\Handlers\SchedulerHandler.php:22
filterfluentmail_saving_connection_dataapp\Services\Mailer\Providers\Gmail\Handler.php:157
filterfluentmail_saving_connection_dataapp\Services\Mailer\Providers\Outlook\Handler.php:114
actionplugins_loadedfluent-smtp.php:40
actioninitfluent-smtp.php:53
filterpre_update_option_active_pluginsincludes\Activator.php:16
filterpre_update_option_active_pluginsincludes\Core\Application.php:35
actionadmin_noticesincludes\Core\Application.php:47

Scheduled Events 2

fluentsmtp_renew_gmail_token
fluentsmtp_renew_gmail_token
Maintenance & Trust

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 28, 2025
PHP min version7.4
Downloads4.0M

Community Trust

Rating96/100
Number of ratings361
Active installs500K
Alternatives

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Alternatives

WP Offload SES Lite

WP Offload SES Lite

wp-ses

A
100

Fix your email delivery problems by sending your WordPress emails through Amazon SES's powerful email sending infrastructure.

10K 1 CVE
WP SMTP Mailer – SMTP7

WP SMTP Mailer – SMTP7

wp-mail-smtp-mailer

A
100

WP SMTP Mailer Plugin - SMTP7. Make email delivery easy from WordPress. It is easy to configure.

9K No CVEs
EmailIdea SMTP Mailer

EmailIdea SMTP Mailer

emailidea-smtp-mailer

A
100

EmailIdea SMTP Mailer ensures reliable WordPress email delivery via secure API-based SMTP and SaaS connectivity, solving common mail issues.

0 No CVEs
GoSMTP – SMTP for WordPress

GoSMTP – SMTP for WordPress

gosmtp

A
100

Send emails from your WordPress site using your preferred SMTP provider like Gmail, Outlook, AWS, Zoho, SMTP.com, Brevo (formerly Sendinblue), Mailgun &hellip;

500K No CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs
Developer Profile

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider Developer Profile

Shahjahan Jewel

17 plugins · 1.3M total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
113 days
View full developer profile
Detection Fingerprints

How We Detect FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fluent-smtp/app/assets/css/fluent-smtp.css/wp-content/plugins/fluent-smtp/app/assets/js/fluent-smtp.js
Script Paths
/wp-content/plugins/fluent-smtp/app/assets/js/fluent-smtp.js
Version Parameters
fluent-smtp/app/assets/css/fluent-smtp.css?ver=fluent-smtp/app/assets/js/fluent-smtp.js?ver=

HTML / DOM Fingerprints

CSS Classes
fluent_smtp_box
HTML Comments
<!-- This notice is from FluentSMTP plugin to prevent plugin conflict. --><!-- For SMTP, you already have FluentSMTP Installed -->
Data Attributes
data-tb-margintop
JS Globals
fluentMailApp
REST Endpoints
/wp-json/fluent-smtp
FAQ

Frequently Asked Questions about FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider