Does Inbox have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Inbox compatible with WordPress 6.6.5?

According to WordPress.org data, Inbox 1.2.2 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is Inbox compatible with PHP 7.0+?

Inbox requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Inbox updated?

Inbox was last updated on Nov 4, 2024. Frequent updates are generally a positive security signal.

What is Inbox's security score?

Inbox has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Inbox Security & Risk Analysis

wordpress.org/plugins/inbox

All types of messages among users and admin including support departments are possible with this plugin.

10 active installs v1.2.2 PHP 7.0+ WP 4.4+ Updated Nov 4, 2024

chat-pluginchatbotinboxlive-chatlive-support-departments

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Inbox Safe to Use in 2026?

Generally Safe

Score 92/100

Inbox has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "inbox" plugin version 1.2.2 exhibits a concerning security posture, primarily due to a large number of unprotected entry points. With 18 AJAX handlers, 14 of which lack authentication checks, and a total of 22 entry points with 14 unprotected, the plugin presents a significant attack surface. While the use of prepared statements for SQL queries is a positive sign, the extremely low percentage of properly escaped output (4%) is a critical weakness, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis further highlights this concern with 3 high severity flows, indicating potential for code injection or data leakage through unsanitized paths. The absence of any recorded CVEs and vulnerability history might suggest a lack of past exploitation or discovery, but it should not be interpreted as a guarantee of current security, especially given the identified code-level weaknesses. In conclusion, despite some good practices like prepared statements, the "inbox" plugin's security is significantly undermined by its extensive unprotected attack surface and poor output escaping, making it a high-risk plugin.

Key Concerns

14 AJAX handlers without auth checks
4% properly escaped output
3 high severity taint flows
7 flows with unsanitized paths
4 shortcodes

Vulnerabilities

None known

Inbox Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Inbox Release Timeline

v1.2.2Current

v1.2.1

v1.2.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

Code Analysis

Analyzed Apr 16, 2026

Inbox Code Analysis

Dangerous Functions

Raw SQL Queries

24 prepared

Unescaped Output

193

7 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

92% prepared26 total queries

Output Escaping

4% escaped200 total outputs

Data Flows · Security

7 unsanitized

Data Flow Analysis

13 flows7 with unsanitized paths

wp_inbox_message_send (inc/functions.php:2255)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

14 unprotected

Inbox Attack Surface

Entry Points22

Unprotected14

AJAX Handlers 18

authwp_ajax_wp_inbox_mailinc/functions.php:73

noprivwp_ajax_wp_inbox_mailinc/functions.php:74

authwp_ajax_wp_inbox_mail_notificationinc/functions.php:93

authwp_ajax_wpinbox_update_optioninc/functions.php:1024

authwp_ajax_wpinboxmessagesendinc/functions.php:2294

authwp_ajax_wphelpmessagesendinc/functions.php:2342

authwp_ajax_wpinboxhelppageinc/functions.php:2396

noprivwp_ajax_wpinboxhelppageinc/functions.php:2397

authwp_ajax_wpinboxtzinc/functions.php:2438

noprivwp_ajax_wpinboxtzinc/functions.php:2439

authwp_ajax_wpinboxdeptdeleteinc/functions.php:2555

authwp_ajax_wpinboxdeptstaffinc/functions.php:2649

authwp_ajax_wpinboxdeptaddinc/functions.php:2733

authwp_ajax_wp_copy_author_fileinc/functions.php:2916

authwp_ajax_wp_inbox_ajax_save_settingsinc/functions.php:3018

authwp_ajax_wp_inbox_admin_msg_saveinc/functions.php:3192

authwp_ajax_wp_inbox_admin_msg_actioninc/functions.php:3254

authwp_ajax_wpinboxsearchinc/profiles.php:569

Shortcodes 4

[WP-INBOX] inc/functions.php:1707

[WP-USERS-STRIP] inc/functions.php:1709

[WP-USERS-LIST] inc/functions.php:1711

[WP-HELP] inc/functions.php:1713

WordPress Hooks 14

actionadmin_initinc/functions.php:824

actioninitinc/functions.php:856

actionwp_headinc/functions.php:1296

actionwoocommerce_before_add_to_cart_forminc/functions.php:1883

actionwoocommerce_order_details_after_order_tableinc/functions.php:2818

filterwoocommerce_account_menu_itemsinc/functions.php:2854

actioninitinc/functions.php:3314

actionedit_user_profile_updateinc/profiles.php:71

actionwoocommerce_customer_save_addressinc/profiles.php:72

actionwp_footerinc/profiles.php:162

actioninitinc/profiles.php:838

actionadmin_menuindex.php:80

actionadmin_enqueue_scriptsindex.php:83

actionwp_enqueue_scriptsindex.php:85

Maintenance & Trust

Inbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedNov 4, 2024

PHP min version7.0

Downloads5K

Community Trust

Rating74/100

Number of ratings3

Active installs10

Alternatives

Inbox Alternatives

Chaport — Live Chat & Chatbots

chaport

Modern live chat plugin for WordPress. Powerful features: multi-channel, chatbots, customization, etc. Free plan. Unlimited chats & websites.

2K 1 CVE

HelpCrunch – Live Chat, Chatbot & Knowledge Base for Customer Service

helpcrunch-live-chat

100

The one-stop platform for even stronger customer relations. Bolster your customer support with its live chat, chatbot, and knowledge base software.

2K No CVEs

ProProfs Chat- Live Chat & Chatbot Plugin

proprofs-chat

ProProfs Chat is a SaaS-based live chat software that helps businesses of all sizes communicate with their website visitors and customers in real-time …

100 No CVEs

Tidio – Live Chat & AI Chatbots

tidio-live-chat

Add Tidio Live Chat to your WordPress for free to answer customers’ questions, engage website visitors, generate leads, and increase sales.

80K 2 CVEs

Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button

button-contact-vr

Powerful platform with Live Chat, AI Chatbots, and Real-Time Visitor Monitoring! Also, create Call, Email, SMS, & Contact buttons to increase conv …

60K 3 CVEs

Developer Profile

Inbox Developer Profile

Fahad Mahmood

44 plugins · 33K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

228 days

View full developer profile

Detection Fingerprints

How We Detect Inbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/inbox/css/front.css/wp-content/plugins/inbox/js/front.js/wp-content/plugins/inbox/css/admin.css/wp-content/plugins/inbox/js/admin.js

Script Paths

/wp-content/plugins/inbox/js/front.js/wp-content/plugins/inbox/js/admin.js

Version Parameters

inbox/css/front.css?ver=inbox/js/front.js?ver=inbox/css/admin.css?ver=inbox/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

inbox-compose-textareainbox-message-listinbox-message-iteminbox-reply-boxinbox-sidebar-menuinbox-user-list

HTML Comments

Data Attributes

data-inbox-iddata-user-id

JS Globals

window.inbox_ajax_urlwindow.inbox_current_user_idvar wp_inbox_mail_headers

REST Endpoints

/wp-json/inbox/v1/messages/wp-json/inbox/v1/send_message

Shortcode Output

[inbox_messages][inbox_compose_form][inbox_user_list]

FAQ