WP-Safety

GD Mail Queue Security & Risk Analysis

wordpress.org/plugins/gd-mail-queue

Intercept emails sent with wp_mail() into flexible mail queue for sending emails, convert plain text emails to HTML, email log, and more.

800 active installs v4.4 PHP 7.4+ WP 5.9+ Updated Dec 3, 2024
dev4pressemail-loghtml-emailqueuesmtp
90
A · Safe
CVEs total2
Unpatched0
Last CVEDec 28, 2024
Plugin page Download
Safety Verdict

Is GD Mail Queue Safe to Use in 2026?

Generally Safe

Score 90/100

GD Mail Queue has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Dec 28, 2024Updated 1yr ago
Risk Assessment

The gd-mail-queue plugin v4.4 presents a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of nonce and capability checks, several areas raise concerns. The presence of two AJAX handlers without authentication checks, coupled with five unsanitized paths identified in taint analysis, including three critical severity flows, indicates potential for unauthorized actions and data manipulation. The plugin's vulnerability history, though currently showing no unpatched issues, has previously included high and medium severity vulnerabilities, primarily Cross-site Scripting. This pattern suggests that the plugin, while actively maintained, may have had past coding weaknesses that could re-emerge if not rigorously addressed. Overall, the plugin exhibits some strong security foundations but requires vigilance due to its exposed entry points and past susceptibility to input validation flaws.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths (Critical)
  • Taint flows with unsanitized paths (High)
  • Known past high severity vulnerability
  • Known past medium severity vulnerability
  • Bundled library (PHPMailer)
  • Output escaping not fully implemented
Vulnerabilities
2 published

GD Mail Queue Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-24608medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GD Mail Queue <= 4.3 - Reflected Cross-Site Scripting

Dec 28, 2024 Patched in 4.4 (132d)
CVE-2023-3122high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GD Mail Queue <= 3.9.3 - Unauthenticated Stored Cross-Site Scripting via Email

Jun 9, 2023 Patched in 4.0 (228d)
Version History

GD Mail Queue Release Timeline

v4.4Current
v4.31 CVE
CVE-2025-24608
v4.2.11 CVE
CVE-2025-24608
v4.21 CVE
CVE-2025-24608
v4.11 CVE
CVE-2025-24608
v4.01 CVE
CVE-2025-24608
v3.9.32 CVEs
CVE-2023-3122 CVE-2025-24608
v3.9.22 CVEs
CVE-2023-3122 CVE-2025-24608
v3.9.12 CVEs
CVE-2023-3122 CVE-2025-24608
v3.92 CVEs
CVE-2023-3122 CVE-2025-24608
v3.82 CVEs
CVE-2023-3122 CVE-2025-24608
v3.72 CVEs
CVE-2023-3122 CVE-2025-24608
v3.62 CVEs
CVE-2023-3122 CVE-2025-24608
v3.5.12 CVEs
CVE-2023-3122 CVE-2025-24608
v3.52 CVEs
CVE-2023-3122 CVE-2025-24608
v3.4.22 CVEs
CVE-2023-3122 CVE-2025-24608
v3.4.12 CVEs
CVE-2023-3122 CVE-2025-24608
v3.42 CVEs
CVE-2023-3122 CVE-2025-24608
v3.32 CVEs
CVE-2023-3122 CVE-2025-24608
v3.22 CVEs
CVE-2023-3122 CVE-2025-24608
Code Analysis
Analyzed Mar 16, 2026

GD Mail Queue Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
37 prepared
Unescaped Output
180
245 escaped
Nonce Checks
11
Capability Checks
7
File Operations
23
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$this->{$key} = unserialize(serialize($val));d4plib\classes\d4p.base.php:41

Bundled Libraries

PHPMailer

SQL Query Safety

90% prepared41 total queries

Output Escaping

58% escaped425 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

11 flows5 with unsanitized paths
wp_redirect_self (d4plib\d4p.wp.php:511)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

GD Mail Queue Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 4

authwp_ajax_gdmaq_tools_emailtestcore\admin\ajax.php:9
authwp_ajax_gdmaq_tools_queuetestcore\admin\ajax.php:10
authwp_ajax_gdmaq_log_entry_previewcore\admin\ajax.php:12
authwp_ajax_gdmaq_log_entry_htmlcore\admin\ajax.php:13
WordPress Hooks 103
actiongdmaq_plugin_initcore\admin\plugin.php:15
filterset-screen-optioncore\admin\plugin.php:17
actionadmin_menucore\admin\plugin.php:65
actionadmin_noticescore\admin\plugin.php:70
actionadmin_noticescore\admin\plugin.php:74
actionadmin_noticescore\admin\plugin.php:78
filterplugin_action_linkscore\admin\plugin.php:81
filterplugin_row_metacore\admin\plugin.php:82
actionload-gd-mail-queue_page_gd-mail-queue-logcore\admin\plugin.php:227
actiongdmaq_load_service_smtpcore\mail\engine.phpmailer.php:29
filtercomment_moderation_headerscore\objects\core.detect.php:16
filtercomment_notification_headerscore\objects\core.detect.php:17
filternew_user_email_contentcore\objects\core.detect.php:18
filteremail_change_emailcore\objects\core.detect.php:19
filterpassword_change_emailcore\objects\core.detect.php:20
filterretrieve_password_messagecore\objects\core.detect.php:21
filteruser_request_confirmed_email_subjectcore\objects\core.detect.php:23
filteruser_confirmed_action_email_contentcore\objects\core.detect.php:24
filteruser_request_action_email_subjectcore\objects\core.detect.php:25
filterwp_privacy_personal_data_email_headerscore\objects\core.detect.php:26
filternew_admin_email_contentcore\objects\core.detect.php:28
filtersite_admin_email_change_emailcore\objects\core.detect.php:29
filterwp_new_user_notification_email_admincore\objects\core.detect.php:30
filterwp_new_user_notification_emailcore\objects\core.detect.php:31
filterwp_password_change_notification_emailcore\objects\core.detect.php:32
filterauto_plugin_theme_update_emailcore\objects\core.detect.php:34
filterauto_core_update_emailcore\objects\core.detect.php:35
filterautomatic_updates_debug_emailcore\objects\core.detect.php:36
filterrecovery_mode_emailcore\objects\core.detect.php:38
filterwpmu_signup_blog_notification_subjectcore\objects\core.detect.php:41
filterwpmu_signup_user_notification_subjectcore\objects\core.detect.php:42
filterupdate_welcome_subjectcore\objects\core.detect.php:43
filterupdate_welcome_user_subjectcore\objects\core.detect.php:44
filternewblog_notify_siteadmincore\objects\core.detect.php:45
filternewuser_notify_siteadmincore\objects\core.detect.php:46
filternew_network_admin_email_contentcore\objects\core.detect.php:47
filternetwork_admin_email_change_emailcore\objects\core.detect.php:48
filterdelete_site_email_contentcore\objects\core.detect.php:49
actionbbp_pre_notify_subscriberscore\objects\core.detect.php:52
actionbbp_pre_notify_forum_subscriberscore\objects\core.detect.php:53
actionbbp_pre_notify_topic_auto_closecore\objects\core.detect.php:56
actionbbp_pre_notify_topic_manual_closecore\objects\core.detect.php:57
actionbbp_pre_notify_topic_edit_subscriberscore\objects\core.detect.php:58
actionbbp_pre_notify_reply_edit_subscriberscore\objects\core.detect.php:59
actionbbp_pre_notify_new_topic_moderatorscore\objects\core.detect.php:60
actiongdpol_daily_digest_notify_moderators_pre_notifycore\objects\core.detect.php:63
actiongdpol_daily_digest_notify_author_pre_notifycore\objects\core.detect.php:64
actiongdpol_instant_notify_pre_notifycore\objects\core.detect.php:65
filterwpmem_email_filtercore\objects\core.detect.php:68
filterwpmem_notify_filtercore\objects\core.detect.php:69
filterrank_math/auto_update_emailcore\objects\core.detect.php:72
filterasgarosforum_subscriber_mails_new_postcore\objects\core.detect.php:75
filterasgarosforum_subscriber_mails_new_topiccore\objects\core.detect.php:76
actionbp_send_emailcore\objects\core.detect.php:79
filterwp_mailcore\objects\core.detect.php:82
filterbp_email_use_wp_mailcore\objects\core.external.php:16
actiongdmaq_plugin_initcore\objects\core.htmlfy.php:27
actiongdmaq_mailer_phpmailer_htmlfycore\objects\core.htmlfy.php:44
actiongdmaq_plugin_initcore\objects\core.log.php:21
actiongdmaq_mailer_phpmailer_to_logcore\objects\core.log.php:45
actionqdmaq_queue_phpmailer_email_sendcore\objects\core.log.php:49
actionwp_mail_failedcore\objects\core.log.php:79
actiongdmaq_plugin_initcore\objects\core.mailer.php:54
filterwp_mail_fromcore\objects\core.mailer.php:78
filterwp_mail_from_namecore\objects\core.mailer.php:79
actionphpmailer_initcore\objects\core.mailer.php:85
actionphpmailer_initcore\objects\core.mailer.php:91
actionwp_mail_failedcore\objects\core.mailer.php:94
actiongdmaq_plugin_initcore\objects\core.queue.php:56
actiongdmaq_run_queuecore\objects\core.queue.php:57
filtercron_schedulescore\objects\core.queue.php:86
actionphpmailer_initcore\objects\core.service.php:16
actiongdmaq_phpmailer_prepare_enginecore\objects\core.service.php:19
actiongdmaq_run_maintenancecore\plugin.php:38
actionadmin_noticescore\plugin.php:44
actiongdmaq_load_engine_phpmailercore\plugin.php:49
filtergdmaq_queue_pausedcore\plugin.php:65
filtergdmaq_email_pausedcore\plugin.php:69
actiongdmaq_load_settingscore\settings.php:107
filterhttp_request_argsd4plib\classes\d4p.four.php:91
actionswitch_blogd4plib\core\d4p.wpdb.php:49
filtersanitize_keyd4plib\core\d4p.wpdb.php:83
filterplugin_action_linksd4plib\plugin\d4p.admin-basic.php:49
filterplugin_row_metad4plib\plugin\d4p.admin-basic.php:50
actionadmin_initd4plib\plugin\d4p.admin-basic.php:88
actionadmin_menud4plib\plugin\d4p.admin-basic.php:89
actioncurrent_screend4plib\plugin\d4p.admin-basic.php:91
actionadmin_enqueue_scriptsd4plib\plugin\d4p.admin-basic.php:92
actionadmin_noticesd4plib\plugin\d4p.admin-options.php:78
actionadmin_noticesd4plib\plugin\d4p.admin-options.php:82
actionadmin_initd4plib\plugin\d4p.admin.php:74
actionadmin_initd4plib\plugin\d4p.admin.php:75
actionadmin_menud4plib\plugin\d4p.admin.php:76
actionadd_meta_boxesd4plib\plugin\d4p.admin.php:77
actioncurrent_screend4plib\plugin\d4p.admin.php:79
actionadmin_enqueue_scriptsd4plib\plugin\d4p.admin.php:81
actioncustomize_controls_enqueue_scriptsd4plib\plugin\d4p.customizer.php:45
actioncustomize_registerd4plib\plugin\d4p.customizer.php:46
actionplugins_loadedd4plib\plugin\d4p.plugin.php:45
actionafter_setup_themed4plib\plugin\d4p.plugin.php:46
actionwidgets_initd4plib\plugin\d4p.plugin.php:74
actionwp_enqueue_scriptsd4plib\plugin\d4p.plugin.php:78
actionshortcode_ui_before_do_shortcoded4plib\plugin\d4p.shortcodes.php:83

Scheduled Events 2

gdmaq_run_queue
gdmaq_run_maintenance
Maintenance & Trust

GD Mail Queue Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedDec 3, 2024
PHP min version7.4
Downloads14K

Community Trust

Rating100/100
Number of ratings11
Active installs800
Alternatives

GD Mail Queue Alternatives

Unified – Email Log, Email Queue, Page cache and more

Unified – Email Log, Email Queue, Page cache and more

unified

A
92

Unified is a plugin that combines functionalities that most sites use, all in one plugin, with a sharp focus on high performance and low memory usage.

0 No CVEs
WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

wp-mail-smtp

A
99

Make email delivery easy for WordPress. Connect with SMTP, Gmail, Outlook, SendGrid, Mailgun, SES, Zoho, + more. Rated #1 WordPress SMTP Email plugin.

4.0M 2 CVEs
Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

easy-wp-smtp

A
91

Make SMTP email sending and delivery easy. Configure Gmail, Outlook, Brevo, SendGrid, Mailgun, SendLayer or connect to any SMTP server.

500K 8 CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 23 CVEs
WP Mail Logging

WP Mail Logging

wp-mail-logging

A
89

Log, view, and resend all emails sent from your WordPress site. Great for resolving email sending issues or keeping a copy for auditing.

300K 6 CVEs
Developer Profile

GD Mail Queue Developer Profile

Milan Petrovic

17 plugins · 12K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1106 days
View full developer profile
Detection Fingerprints

How We Detect GD Mail Queue

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gd-mail-queue/d4plib/core/admin/css/style.css/wp-content/plugins/gd-mail-queue/d4plib/core/admin/js/script.js/wp-content/plugins/gd-mail-queue/core/admin/css/style.css/wp-content/plugins/gd-mail-queue/core/admin/js/script.js/wp-content/plugins/gd-mail-queue/core/grids/css/log.css/wp-content/plugins/gd-mail-queue/core/grids/js/log.js
Script Paths
/wp-content/plugins/gd-mail-queue/d4plib/core/admin/js/script.js/wp-content/plugins/gd-mail-queue/core/admin/js/script.js/wp-content/plugins/gd-mail-queue/core/grids/js/log.js
Version Parameters
gd-mail-queue/d4plib/core/admin/css/style.css?ver=gd-mail-queue/d4plib/core/admin/js/script.js?ver=gd-mail-queue/core/admin/css/style.css?ver=gd-mail-queue/core/admin/js/script.js?ver=gd-mail-queue/core/grids/css/log.css?ver=gd-mail-queue/core/grids/js/log.js?ver=

HTML / DOM Fingerprints

CSS Classes
gdmaq_admingdmaq-notice-info
HTML Comments
<!-- D4PLIB --><!-- Copyright -->
Data Attributes
data-gdmaq-core
JS Globals
$_gdmaq_core$_gdmaq_settingsgdmaqgdmaq_settings
FAQ

Frequently Asked Questions about GD Mail Queue