WP-Safety

Mail Baby SMTP Security & Risk Analysis

wordpress.org/plugins/mail-baby-smtp

Send email from your WordPress site using Mail.baby, SMTP.com, Gmail, SendGrid, Mailgun, Sendinblue and more Api's and Configure wp_mail() with them.

700 active installs v3.2.13 PHP 7.4+ WP 6.1+ Updated Mar 12, 2026
gmail-smtpmailbaby-smtpmailgun-smtpsendinbluesmtp
99
A · Safe
CVEs total1
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Mail Baby SMTP Safe to Use in 2026?

Generally Safe

Score 99/100

Mail Baby SMTP has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 22, 2025Updated 22d ago
Risk Assessment

The mail-baby-smtp plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation (91%) and output escaping (95%), and has no dangerous functions, a significant concern arises from its extensive attack surface, with 16 AJAX handlers and a concerning 14 of them lacking authentication checks. This opens a wide avenue for potential unauthorized actions. The taint analysis reveals one high-severity flow with unsanitized paths, which, despite not being critical, warrants careful investigation as it could lead to exploitation if input is not handled properly.

The vulnerability history shows a single medium-severity CVE related to CSRF, which has been patched. The recurrence of CSRF in the past suggests a potential weakness in input validation or state-changing action protection, though the absence of current unpatched vulnerabilities is a positive sign. The presence of bundled libraries like jQuery and PHPMailer, while common, always carries a risk if they are not kept up-to-date or if vulnerabilities exist within them.

In conclusion, the plugin has several strengths in secure coding practices for SQL and output handling. However, the large number of unprotected AJAX endpoints and the identified high-severity taint flow are significant weaknesses that could be exploited. The past CSRF vulnerability, though patched, highlights a need for continued vigilance in securing sensitive operations. Addressing the unprotected AJAX handlers should be a top priority.

Key Concerns

  • Large attack surface without auth checks
  • High severity taint flow
  • Missing nonce checks on AJAX
  • 1 medium severity CVE in history
  • Bundled libraries (potential outdatedness)
Vulnerabilities
1

Mail Baby SMTP Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-57992medium · 4.3Cross-Site Request Forgery (CSRF)

Mail Baby SMTP <= 2.8 - Cross-Site Request Forgery

Sep 22, 2025 Patched in 3.2.12 (60d)
Code Analysis
Analyzed Mar 16, 2026

Mail Baby SMTP Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
85 prepared
Unescaped Output
21
377 escaped
Nonce Checks
6
Capability Checks
1
File Operations
10
External Requests
10
Bundled Libraries
2

Bundled Libraries

jQueryPHPMailer

SQL Query Safety

91% prepared93 total queries

Output Escaping

95% escaped398 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

15 flows9 with unsanitized paths
signup_process (inc\Sendinblue.php:1245)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
14 unprotected

Mail Baby SMTP Attack Surface

Entry Points17
Unprotected14

AJAX Handlers 16

authwp_ajax_wp_mailplus_clear_logsinc\Sendgrid_SMTP_Manager.php:69
authwp_ajax_sib_validate_processinc\Sendinblue.php:249
authwp_ajax_sib_validate_mainc\Sendinblue.php:251
authwp_ajax_sib_activate_email_changeinc\Sendinblue.php:253
authwp_ajax_sib_sender_changeinc\Sendinblue.php:255
authwp_ajax_sib_send_emailinc\Sendinblue.php:257
authwp_ajax_sib_remove_cacheinc\Sendinblue.php:259
authwp_ajax_sib_sync_usersinc\Sendinblue.php:261
authwp_ajax_sib_change_templateinc\Sendinblue.php:265
authwp_ajax_sib_get_listsinc\Sendinblue.php:267
authwp_ajax_sib_get_templatesinc\Sendinblue.php:269
authwp_ajax_sib_get_attributesinc\Sendinblue.php:271
authwp_ajax_sib_update_form_htmlinc\Sendinblue.php:273
authwp_ajax_sib_copy_origin_forminc\Sendinblue.php:275
authwp_ajax_sib_get_country_prefixinc\Sendinblue.php:279
noprivwp_ajax_sib_get_country_prefixinc\Sendinblue.php:281

Shortcodes 1

[sibwp_form] inc\Sendinblue.php:305
WordPress Hooks 41
filterplugin_action_linksinc\Gmail_SMTP_Manager.php:39
actionplugins_loadedinc\Gmail_SMTP_Manager.php:43
actionadmin_menuinc\Gmail_SMTP_Manager.php:45
actioninitinc\Gmail_SMTP_Manager.php:47
actionadmin_enqueue_scriptsinc\Gmail_SMTP_Manager.php:51
filterpre_wp_mailinc\Gmail_SMTP_Manager.php:57
filterwp_mail_frominc\Mailbaby_SMTP_Manager.php:59
filterwp_mail_from_nameinc\Mailbaby_SMTP_Manager.php:61
filterwp_mail_frominc\Other_SMTP_Manager.php:59
filterwp_mail_from_nameinc\Other_SMTP_Manager.php:61
actionphpmailer_initinc\Sendgrid_SMTP_Manager.php:65
actionwp_mail_failedinc\Sendgrid_SMTP_Manager.php:67
filterwp_mail_frominc\Sendgrid_SMTP_Manager.php:73
filterwp_mail_from_nameinc\Sendgrid_SMTP_Manager.php:75
actionadmin_initinc\Sendinblue.php:229
actionadmin_menuinc\Sendinblue.php:231
actionwp_print_scriptsinc\Sendinblue.php:235
actionwp_enqueue_scriptsinc\Sendinblue.php:237
filterquery_varsinc\Sendinblue.php:243
actionparse_requestinc\Sendinblue.php:245
actioninitinc\Sendinblue.php:285
actionwp_logininc\Sendinblue.php:289
actionsib_language_sidebarinc\Sendinblue.php:353
actionadmin_noticesinc\Sendinblue.php:441
actionwp_headinc\Sendinblue.php:525
actionadmin_action_sib_setting_subscriptioninc\Sendinblue.php:539
actionadmin_action_nopriv_sib_setting_subscriptioninc\Sendinblue.php:541
actionsendinblue_initinc\Sendinblue.php:2785
filterwidget_textinc\Sendinblue.php:2787
filterwp_mail_frominc\Smtpcom_Manager.php:59
filterwp_mail_from_nameinc\Smtpcom_Manager.php:61
filtermg_mutate_to_rcpt_varsinc\templates\Mailgun\wp-mail-api.php:123
actionadmin_footerinc\templates\Sendgrid\WP_List_Table.php:331
actionwp_mail_failedmail-baby-smtp.php:49
actionphpmailer_initmail-baby-smtp.php:170
actionadmin_initmail-baby-smtp.php:220
filterplugin_action_linksmail-baby-smtp.php:242
actionplugins_loadedmail-baby-smtp.php:244
actionadmin_menumail-baby-smtp.php:245
actionadmin_enqueue_scriptsmail-baby-smtp.php:246
filterpre_wp_mailmail-baby-smtp.php:247
Maintenance & Trust

Mail Baby SMTP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads5K

Community Trust

Rating0/100
Number of ratings0
Active installs700
Alternatives

Mail Baby SMTP Alternatives

Kingmailer WordPress SMTP

Kingmailer WordPress SMTP

kingmailer-smtp

A
100

SMTP for sending user registration emails, order emails, contact form emails.

70 No CVEs
GoSMTP – SMTP for WordPress

GoSMTP – SMTP for WordPress

gosmtp

A
100

Send emails from your WordPress site using your preferred SMTP provider like Gmail, Outlook, AWS, Zoho, SMTP.com, Brevo (formerly Sendinblue), Mailgun &hellip;

500K No CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs
SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

suremails

A
97

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

200K 1 CVE
WP Offload SES Lite

WP Offload SES Lite

wp-ses

A
100

Fix your email delivery problems by sending your WordPress emails through Amazon SES's powerful email sending infrastructure.

10K 1 CVE
Developer Profile

Mail Baby SMTP Developer Profile

InterServer

1 plugin · 700 total installs

87
trust score
Avg Security Score
99/100
Avg Patch Time
60 days
View full developer profile
Detection Fingerprints

How We Detect Mail Baby SMTP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mail-baby-smtp/assets/css/custom.css/wp-content/plugins/mail-baby-smtp/assets/js/custom.js/wp-content/plugins/mail-baby-smtp/assets/js/settings.js/wp-content/plugins/mail-baby-smtp/mail-baby-smtp.php
Script Paths
/wp-content/plugins/mail-baby-smtp/assets/js/custom.js/wp-content/plugins/mail-baby-smtp/assets/js/settings.js
Version Parameters
mail-baby-smtp/assets/css/custom.css?ver=mail-baby-smtp/assets/js/custom.js?ver=mail-baby-smtp/assets/js/settings.js?ver=mail-baby-smtp/mail-baby-smtp.php?ver=

HTML / DOM Fingerprints

Data Attributes
data-mail-baby-smtp-settings-page
JS Globals
MAIL_BABY_SMTP_to_emailMAIL_BABY_SMTP_email_subjectMAIL_BABY_SMTP_email_bodyMAIL_BABY_SMTP_send_test_emailMAIL_BABY_SMTP_options
FAQ

Frequently Asked Questions about Mail Baby SMTP