WP-Safety

Mail Doctor Security & Risk Analysis

wordpress.org/plugins/mail-doctor

Deliver WooCommerce emails with confidence using authenticated SMTP transports, visual diagnostics, and automated retries.

0 active installs v1.0.1 PHP 8.1+ WP 6.0+ Updated Mar 25, 2026
deliverabilityemailloggingsmtpwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Mail Doctor Safe to Use in 2026?

Generally Safe

Score 100/100

Mail Doctor has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The mail-doctor plugin v1.0.1 exhibits a concerning security posture due to a significant number of unprotected AJAX handlers. While the plugin demonstrates strong practices in other areas, such as using prepared statements for all SQL queries and properly escaping all output, the absence of authorization checks on nine AJAX entry points presents a substantial risk. This means any authenticated user, regardless of their role or privileges, could potentially trigger these AJAX actions, leading to unauthorized operations or information disclosure.

Despite the lack of reported vulnerabilities and a clean taint analysis, the unprotected AJAX handlers remain the primary security concern. The plugin's vulnerability history being clean is a positive indicator, suggesting that its developers are not introducing known issues. However, the unprotected entry points create a wide attack surface that could be exploited if a specific vulnerability is introduced in the future or if an attacker can leverage existing WordPress authentication mechanisms to gain access. The presence of nonce checks and capability checks on these AJAX handlers is commendable, but their absence of explicit authorization checks is a critical oversight.

In conclusion, while mail-doctor v1.0.1 scores well on data handling and output sanitization, its security is significantly undermined by its numerous unprotected AJAX endpoints. This creates an unnecessary and dangerous attack surface that could be exploited by malicious actors. Addressing these unprotected AJAX handlers should be the immediate priority for the plugin developers to improve its overall security.

Key Concerns

  • Unprotected AJAX handlers
Vulnerabilities
None known

Mail Doctor Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Mail Doctor Release Timeline

v1.0.1Current
v1.0.0
Code Analysis
Analyzed Apr 16, 2026

Mail Doctor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
93 prepared
Unescaped Output
1
1796 escaped
Nonce Checks
16
Capability Checks
16
File Operations
2
External Requests
16
Bundled Libraries
0

SQL Query Safety

100% prepared93 total queries

Output Escaping

100% escaped1797 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
handle_settings_form (includes/admin/modules/module-settings.php:190)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Mail Doctor Attack Surface

Entry Points9
Unprotected9

AJAX Handlers 9

authwp_ajax_mail_doctor_send_test_emailincludes/admin/class-mail-doctor-admin.php:104
authwp_ajax_mail_doctor_get_status_cardsincludes/admin/class-mail-doctor-admin.php:105
authwp_ajax_mail_doctor_retry_emailincludes/admin/class-mail-doctor-admin.php:106
authwp_ajax_mail_doctor_resend_emailincludes/admin/class-mail-doctor-admin.php:107
authwp_ajax_mail_doctor_purge_logsincludes/admin/class-mail-doctor-admin.php:108
authwp_ajax_mail_doctor_run_queue_nowincludes/admin/class-mail-doctor-admin.php:109
authwp_ajax_mail_doctor_test_connectionincludes/admin/class-mail-doctor-admin.php:110
authwp_ajax_mail_doctor_preview_woo_emailincludes/admin/class-mail-doctor-admin.php:111
authwp_ajax_mail_doctor_send_preview_woo_emailincludes/admin/class-mail-doctor-admin.php:112
WordPress Hooks 43
actionadmin_menuincludes/admin/class-mail-doctor-admin.php:97
actionadmin_enqueue_scriptsincludes/admin/class-mail-doctor-admin.php:98
filterwoocommerce_get_sections_emailincludes/admin/class-mail-doctor-admin.php:99
filterwoocommerce_get_settings_emailincludes/admin/class-mail-doctor-admin.php:100
actionadmin_initincludes/admin/class-mail-doctor-admin.php:101
actionadmin_noticesincludes/admin/class-mail-doctor-admin.php:102
actionnetwork_admin_menuincludes/admin/class-mail-doctor-network-admin.php:31
actionnetwork_admin_edit_mail_doctor_networkincludes/admin/class-mail-doctor-network-admin.php:32
actionadmin_initincludes/admin/class-mail-doctor-onboarding.php:42
actionadmin_menuincludes/admin/class-mail-doctor-onboarding.php:43
actionadmin_enqueue_scriptsincludes/admin/class-mail-doctor-onboarding.php:44
actionadmin_noticesincludes/admin/class-mail-doctor-onboarding.php:45
actionadmin_post_mail_doctor_oauth_startincludes/auth/class-mail-doctor-oauth.php:34
actionadmin_post_mail_doctor_oauth_callbackincludes/auth/class-mail-doctor-oauth.php:35
actionwp_mail_succeededincludes/core/modules/module-logger-config.php:25
actionwp_mail_failedincludes/core/modules/module-logger-config.php:26
actionshutdownincludes/core/modules/module-logger-config.php:27
actionshutdownincludes/core/modules/module-logger-config.php:28
filterwoocommerce_mail_callbackincludes/integrations/class-mail-doctor-woocommerce.php:80
filterwoocommerce_mail_callback_paramsincludes/integrations/class-mail-doctor-woocommerce.php:81
actionwoocommerce_initincludes/integrations/class-mail-doctor-woocommerce.php:82
actionwoocommerce_emailincludes/integrations/class-mail-doctor-woocommerce.php:83
actionwoocommerce_email_sentincludes/integrations/class-mail-doctor-woocommerce.php:84
actionwoocommerce_email_after_sendincludes/integrations/class-mail-doctor-woocommerce.php:85
filterpre_wp_mailincludes/mail/mailer/modules/module-mailer-init.php:27
filterwp_mailincludes/mail/mailer/modules/module-mailer-init.php:28
actionphpmailer_initincludes/mail/mailer/modules/module-mailer-init.php:29
actionwp_mail_succeededincludes/mail/mailer/modules/module-mailer-init.php:30
actionwp_mail_failedincludes/mail/mailer/modules/module-mailer-init.php:31
actionwp_mail_failedincludes/mail/mailer/modules/module-mailer-init.php:32
filterwp_mail_fromincludes/mail/mailer/modules/module-mailer-init.php:33
filterwp_mail_from_nameincludes/mail/mailer/modules/module-mailer-init.php:34
actionshutdownincludes/mail/mailer/modules/module-mailer-init.php:35
actionmail_doctor_async_sendincludes/mail/mailer/modules/module-mailer-init.php:36
filtercron_schedulesincludes/mail/retry/class-mail-doctor-retry.php:147
actionmail_doctor_log_failedincludes/mail/retry/class-mail-doctor-retry.php:148
filtercron_schedulesincludes/mail/retry/class-mail-doctor-retry.php:168
filterwp_privacy_personal_data_exportersincludes/support/class-mail-doctor-privacy.php:32
filterwp_privacy_personal_data_erasersincludes/support/class-mail-doctor-privacy.php:33
filterplugin_row_metamail-doctor.php:99
actioninitmail-doctor.php:120
actionplugins_loadedmail-doctor.php:163
actionadmin_noticesmail-doctor.php:187
Maintenance & Trust

Mail Doctor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 25, 2026
PHP min version8.1
Downloads198

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Mail Doctor Alternatives

eCommerce Email Health Check

eCommerce Email Health Check

ecom-email-health-check

A
100

A free, simple tool to diagnose and test your eCommerce email delivery, ensuring orders and notifications reach customers.

0 No CVEs
WP Mail Logging

WP Mail Logging

wp-mail-logging

A
89

Log, view, and resend all emails sent from your WordPress site. Great for resolving email sending issues or keeping a copy for auditing.

300K 6 CVEs
Check & Log Email – Easy Email Testing & Mail logging

Check & Log Email – Easy Email Testing & Mail logging

check-email

A
89

Check & Log email allows you to test if your website is correctly sending emails . Overriding of email headers and carbon copying to another address.

100K 6 CVEs
Custom SMTP: Email Deliverability – FREE & Easy-to-use

Custom SMTP: Email Deliverability – FREE & Easy-to-use

custom-smtp

A
100

Effortlessly configure WordPress SMTP and monitor all sent emails. Built-in email logging with preview, error debugging, and WooCommerce support.

100 No CVEs
Smooth SMTP

Smooth SMTP

smooth-smtp

A
100

SMTP configuration, email logging, failure alerts, and fallback sending for WordPress.

80 No CVEs
Developer Profile

Mail Doctor Developer Profile

sarfraj85

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Mail Doctor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mail-doctor/assets/css/maildoctor.css/wp-content/plugins/mail-doctor/assets/js/maildoctor.js
Script Paths
/wp-content/plugins/mail-doctor/assets/js/maildoctor.js
Version Parameters
mail-doctor/assets/css/maildoctor.css?ver=mail-doctor/assets/js/maildoctor.js?ver=

HTML / DOM Fingerprints

CSS Classes
mail-doctor-admin-page
Data Attributes
data-mail-doctor-settings
JS Globals
MailDoctor
FAQ

Frequently Asked Questions about Mail Doctor