WP-Safety

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Security & Risk Analysis

wordpress.org/plugins/mail-control

Design and customize email templates, control your SMTP email deliverability, track your emails clicks and openings, and send them as background task.

60 active installs v0.3.9 PHP 7.4+ WP 5.0+ Updated Mar 22, 2025
emailemail-customizeremail-deliverabilityemail-logsmtp
91
A · Safe
CVEs total1
Unpatched0
Last CVEJul 10, 2023
Plugin page Download
Safety Verdict

Is Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Safe to Use in 2026?

Generally Safe

Score 91/100

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 10, 2023Updated 1yr ago
Risk Assessment

The "mail-control" plugin v0.3.9 exhibits a concerning security posture primarily due to its unprotected AJAX handlers. The static analysis reveals a significant attack surface with 6 AJAX handlers, all of which lack authentication checks. This presents a high risk of unauthorized actions being performed by unauthenticated users. While the plugin demonstrates good practices in its use of prepared statements for SQL queries (85%) and proper output escaping (87%), and no critical or high severity taint flows were detected, the unprotected entry points are a major weakness. The vulnerability history indicates one past high-severity CVE related to Cross-site Scripting, which, combined with the current lack of authentication on AJAX handlers, suggests a potential for similar vulnerabilities to be exploited if not addressed. The plugin has strengths in its SQL and output handling but critically fails to secure its primary interaction points.

Key Concerns

  • 6 AJAX handlers without auth checks
  • 1 past high severity CVE
Vulnerabilities
1

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2023-3158high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mail Control <= 0.2.8 - Unauthenticated Stored Cross-Site Scripting via Email Subject

Jul 10, 2023 Patched in 0.3.2 (197d)
Code Analysis
Analyzed Mar 16, 2026

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
11 prepared
Unescaped Output
27
179 escaped
Nonce Checks
9
Capability Checks
4
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

85% prepared13 total queries

Output Escaping

87% escaped206 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<admin> (includes\admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_resend_emailincludes\admin.php:127
authwp_ajax_detail_emailincludes\admin.php:215
authwp_ajax_process_mail_queueincludes\background-mailer.php:215
authwp_ajax_send_preview_emailincludes\email-customizer.php:827
authwp_ajax_send_test_emailincludes\smtp-mailer.php:156
authwp_ajax_test_domainincludes\smtp-mailer.php:179
WordPress Hooks 64
actionload-toplevel_page_mail-controlincludes\admin.php:19
filtermc_disable_email_queueincludes\admin.php:139
actionwp_mail_failedincludes\admin.php:141
actionadmin_menuincludes\admin.php:466
actionadmin_initincludes\admin.php:612
filterplugin_row_metaincludes\admin.php:639
filterplugin_action_linksincludes\admin.php:656
filtermail_control_settingsincludes\background-mailer.php:14
actionshutdownincludes\background-mailer.php:155
actionsettings_ready_mcincludes\background-mailer.php:228
actionmc_process_email_queueincludes\background-mailer.php:233
filterpre_wp_mailincludes\background-mailer.php:235
filtermail_control_settingsincludes\email-customizer.php:7
filtercss_do_concatincludes\email-customizer.php:608
filterjs_do_concatincludes\email-customizer.php:609
actionmc_headerincludes\email-customizer.php:612
actionmc_footerincludes\email-customizer.php:623
actioncustomize_controls_enqueue_scriptsincludes\email-customizer.php:703
filterallowed_block_types_allincludes\email-customizer.php:758
actionadmin_menuincludes\email-customizer.php:814
filtermc_disable_email_queueincludes\email-customizer.php:839
actionsettings_ready_mcincludes\email-customizer.php:850
actionwidgets_initincludes\email-customizer.php:857
actioncustomize_registerincludes\email-customizer.php:861
filtershould_load_separate_core_block_assetsincludes\email-customizer.php:866
actioncustomize_preview_initincludes\email-customizer.php:868
actiontemplate_redirectincludes\email-customizer.php:871
actionmc_headerincludes\email-customizer.php:874
filtercss_do_concatincludes\email-customizer.php:876
filtershould_load_separate_core_block_assetsincludes\email-customizer.php:878
actionmc_footerincludes\email-customizer.php:885
filterwp_mailincludes\email-customizer.php:890
filtermail_control_settingsincludes\email-tracker.php:9
actionmail_control_cleanup_logsincludes\email-tracker.php:366
actionmail_control_upgradeincludes\email-tracker.php:385
actionwp_mail_failedincludes\email-tracker.php:391
actionphpmailer_initincludes\email-tracker.php:409
filterconnect_message_on_updateincludes\init_freemius.php:72
actionplugins_loadedincludes\install.php:46
filtermc_customizer_sectionsincludes\integrations\woocommerce.php:44
filtermc_customizer_settingsincludes\integrations\woocommerce.php:51
filterwoocommerce_email_stylesincludes\integrations\woocommerce.php:97
filterwoocommerce_mail_contentincludes\integrations\woocommerce.php:100
actionwoocommerce_email_headerincludes\integrations\woocommerce.php:102
filterwoocommerce_email_settingsincludes\integrations\woocommerce.php:110
filterwoocommerce_email_headersincludes\integrations\woocommerce.php:139
filtermc_disable_beautifyincludes\integrations\woocommerce.php:141
filterpre_wp_mailincludes\integrations\woocommerce.php:145
filtermc_customizer_email_typesincludes\integrations\woocommerce.php:151
filtermc_customizer_previewincludes\integrations\woocommerce.php:167
filtermc_customizer_defaultsincludes\integrations\woocommerce.php:186
actionsettings_ready_mcincludes\integrations\woocommerce.php:194
actionwoocommerce_emailincludes\integrations\woocommerce.php:198
actionwoocommerce_emailincludes\integrations\woocommerce.php:201
actionplugins_loadedincludes\settings.php:89
actioninitincludes\settings.php:100
filtermc_disable_email_queueincludes\smtp-checks.php:29
actionphpmailer_initincludes\smtp-checks.php:31
filtermail_control_settingsincludes\smtp-mailer.php:9
actionwsa_after_form_SMTP_MAILERincludes\smtp-mailer.php:216
actionsettings_ready_mcincludes\smtp-mailer.php:328
actionphpmailer_initincludes\smtp-mailer.php:330
filterwp_mail_fromincludes\smtp-mailer.php:332
filterwp_mail_from_nameincludes\smtp-mailer.php:337

Scheduled Events 2

mc_process_email_queue
mail_control_cleanup_logs
Maintenance & Trust

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 22, 2025
PHP min version7.4
Downloads2K

Community Trust

Rating100/100
Number of ratings4
Active installs60
Alternatives

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Alternatives

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

wp-mail-smtp

A
99

Make email delivery easy for WordPress. Connect with SMTP, Gmail, Outlook, SendGrid, Mailgun, SES, Zoho, + more. Rated #1 WordPress SMTP Email plugin.

4.0M 2 CVEs
Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

easy-wp-smtp

A
91

Make SMTP email sending and delivery easy. Configure Gmail, Outlook, Brevo, SendGrid, Mailgun, SendLayer or connect to any SMTP server.

500K 8 CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs
WP Mail Logging

WP Mail Logging

wp-mail-logging

A
89

Log, view, and resend all emails sent from your WordPress site. Great for resolving email sending issues or keeping a copy for auditing.

300K 6 CVEs
Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

site-mailer

A
98

Effortlessly manage transactional emails with Site Mailer. High deliverability, logs and statistics, and no SMTP plugins needed.

200K 1 CVE
Developer Profile

Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking Developer Profile

Rahal Aboulfeth

1 plugin · 60 total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
197 days
View full developer profile
Detection Fingerprints

How We Detect Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mail-control/assets/css/backend.css/wp-content/plugins/mail-control/assets/js/backend.js/wp-content/plugins/mail-control/assets/css/frontend.css/wp-content/plugins/mail-control/assets/js/frontend.js/wp-content/plugins/mail-control/assets/css/track.css
Script Paths
/wp-content/plugins/mail-control/assets/js/backend.js/wp-content/plugins/mail-control/assets/js/frontend.js
Version Parameters
mail-control/assets/css/backend.css?ver=mail-control/assets/js/backend.js?ver=mail-control/assets/css/frontend.css?ver=mail-control/assets/js/frontend.js?ver=mail-control/assets/css/track.css?ver=

HTML / DOM Fingerprints

CSS Classes
mc-settings-pagemc-customizer-headermc-customizer-labelmc-customizer-fieldmc-customizer-descriptionmc-btn-savemc-toggle-switch
HTML Comments
<!-- Mail Control Admin Settings --><!-- Mail Control Customizer Content -->
Data Attributes
data-mc-fielddata-mc-typedata-mc-value
JS Globals
mc_backend_paramsmc_frontend_paramsMailControlBackend
REST Endpoints
/wp-json/mail-control/v1/settings/wp-json/mail-control/v1/customizer/save
Shortcode Output
<div class="mail-control-shortcode-example"><p>This is an example of Mail Control shortcode output.</p></div>
FAQ

Frequently Asked Questions about Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking