WP-Safety

PickPlugins Mail Picker — Email Marketing & Newsletters Security & Risk Analysis

wordpress.org/plugins/mail-picker

Send newsletter and build email subscriber.

10 active installs v1.0.17 PHP + WP 4.1+ Updated Jan 10, 2026
email-campaignemail-marketingemail-subscribernewsletter
96
A · Safe
CVEs total2
Unpatched0
Last CVEDec 11, 2024
Plugin page Download
Safety Verdict

Is PickPlugins Mail Picker — Email Marketing & Newsletters Safe to Use in 2026?

Generally Safe

Score 96/100

PickPlugins Mail Picker — Email Marketing & Newsletters has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Dec 11, 2024Updated 4mo ago
Risk Assessment

The 'mail-picker' plugin v1.0.17 presents a mixed security posture. On the positive side, it demonstrates good practices with 100% of its SQL queries utilizing prepared statements and a high percentage (92%) of output escaping. The absence of bundled outdated libraries and a complete lack of currently unpatched CVEs are also encouraging signs. However, significant concerns arise from the substantial attack surface exposed without proper authentication checks. Six out of ten entry points, including all five REST API routes and one AJAX handler, lack permission callbacks, leaving them vulnerable to unauthorized access and potential exploitation. The presence of the `unserialize` function, coupled with seven critical taint flows without sanitization, strongly suggests a high risk of deserialization vulnerabilities, particularly when combined with the unprotected entry points. The plugin's history of two critical and medium CVEs, specifically related to deserialization and XSS, reinforces these concerns, indicating a recurring pattern of vulnerabilities that attackers could potentially leverage if a new zero-day emerges or if older, but unpatched, vulnerabilities are still exploitable in specific configurations.

Key Concerns

  • REST API routes without permission callbacks
  • AJAX handler without auth checks
  • Critical taint flows without sanitization
  • Presence of dangerous unserialize function
  • Previously unpatched critical CVE (historical)
  • Previously unpatched medium CVE (historical)
Vulnerabilities
2 published

PickPlugins Mail Picker — Email Marketing & Newsletters Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2024-54273critical · 9.8Deserialization of Untrusted Data

Mail Picker <= 1.0.14 - Unauthenticated PHP Object Injection

Dec 11, 2024 Patched in 1.0.15 (9d)
CVE-2024-53772medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mail Picker <= 1.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 28, 2024 Patched in 1.0.16 (412d)
Version History

PickPlugins Mail Picker — Email Marketing & Newsletters Release Timeline

v1.0.16
v1.0.151 CVE
CVE-2024-53772
v1.0.142 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.122 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.102 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.92 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.82 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.72 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.62 CVEs
CVE-2024-54273 CVE-2024-53772
v1.0.52 CVEs
CVE-2024-54273 CVE-2024-53772
Code Analysis
Analyzed Mar 17, 2026

PickPlugins Mail Picker — Email Marketing & Newsletters Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
5 prepared
Unescaped Output
106
1196 escaped
Nonce Checks
6
Capability Checks
9
File Operations
1
External Requests
27
Bundled Libraries
0

Dangerous Functions Found

unserialize$layout_options = isset($item->layout_options) ? unserialize($item->layout_options) : '';includes\menu\mail_templates.php:97

SQL Query Safety

100% prepared5 total queries

Output Escaping

92% escaped1302 total outputs
Data Flows · Security
9 unsanitized

Data Flow Analysis

11 flows9 with unsanitized paths
<mail_templates> (includes\menu\mail_templates.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

PickPlugins Mail Picker — Email Marketing & Newsletters Attack Surface

Entry Points10
Unprotected6

AJAX Handlers 1

authwp_ajax_mail_picker_ajax_send_test_mailincludes\functions.php:95

REST API Routes 5

POST/wp-json/mail-picker/v2/check_subscriberincludes\mail-picker-rest-end-points.php:23
POST/wp-json/mail-picker/v2/add_subscriberincludes\mail-picker-rest-end-points.php:32
POST/wp-json/mail-picker/v2/unsubscribeincludes\mail-picker-rest-end-points.php:41
POST/wp-json/mail-picker/v2/remove_subscriberincludes\mail-picker-rest-end-points.php:50
POST/wp-json/mail-picker/v2/confirm_subscribeincludes\mail-picker-rest-end-points.php:60

Shortcodes 4

[mail_picker_subscriber_source_check] includes\functions-cron-hooks.php:6
[mail_picker_subscriber_source_check_newsletter_subscribers] includes\functions-cron-hooks.php:1187
[mail_picker_campaign_check] includes\functions.php:192
[mail_picker_form] includes\shortcodes\class-shortcodes.php:10
WordPress Hooks 163
actioninitincludes\classes\class-manage-subscriber.php:14
actioninitincludes\classes\class-manage-subscriber.php:15
actioninitincludes\classes\class-manage-subscriber.php:16
actioninitincludes\classes\class-manage-subscriber.php:17
actioninitincludes\classes\class-manage-subscriber.php:18
actioninitincludes\classes\class-manage-subscriber.php:19
actioninitincludes\classes\class-manage-subscriber.php:21
actionadd_meta_boxesincludes\classes\class-post-meta.php:11
actionsave_postincludes\classes\class-post-meta.php:12
actionadd_meta_boxesincludes\classes\class-post-meta.php:14
actionsave_postincludes\classes\class-post-meta.php:15
actionadd_meta_boxesincludes\classes\class-post-meta.php:17
actionadd_meta_boxesincludes\classes\class-post-meta.php:20
actionsave_postincludes\classes\class-post-meta.php:21
actionadd_meta_boxesincludes\classes\class-post-meta.php:23
actionsave_postincludes\classes\class-post-meta.php:24
actioninitincludes\classes\class-post-types.php:13
actioninitincludes\classes\class-post-types.php:14
actioninitincludes\classes\class-post-types.php:18
actioninitincludes\classes\class-post-types.php:19
actionadmin_menuincludes\classes\class-settings.php:10
actionmail_picker_subscriber_source_checkincludes\functions-cron-hooks.php:7
actionmail_picker_subscriber_source_check_registered_usersincludes\functions-cron-hooks.php:97
actionmail_picker_subscriber_source_check_commentsincludes\functions-cron-hooks.php:259
actionmail_picker_subscriber_source_check_woo_ordersincludes\functions-cron-hooks.php:430
actionmail_picker_subscriber_source_check_evf_entriesincludes\functions-cron-hooks.php:618
actionmail_picker_subscriber_source_check_flamingo_inboundincludes\functions-cron-hooks.php:797
actionmail_picker_subscriber_source_check_ninjaform_subincludes\functions-cron-hooks.php:972
actionmail_picker_subscriber_source_check_newsletter_subscribersincludes\functions-cron-hooks.php:1189
actionwpcf7_submitincludes\functions-cron-hooks.php:1451
actionwpforms_process_completeincludes\functions-cron-hooks.php:1570
actionfrm_after_create_entryincludes\functions-cron-hooks.php:1578
actioncaldera_custom_form_submit_before_set_fieldsincludes\functions-cron-hooks.php:1663
actioncaldera_forms_submit_completeincludes\functions-cron-hooks.php:1747
actionweforms_entry_submissionincludes\functions-cron-hooks.php:1827
filterkaliforms_before_form_processincludes\functions-cron-hooks.php:1912
filterig_es_add_subscriber_dataincludes\functions-cron-hooks.php:1991
filtermailoptin_optin_subscription_request_bodyincludes\functions-cron-hooks.php:2094
filters2_confirm_emailincludes\functions-cron-hooks.php:2188
filternewsletter_user_subscribeincludes\functions-cron-hooks.php:2201
actionsubscriber_source_options_registered_usersincludes\functions-hooks.php:5
actionsubscriber_source_meta_boxes_saveincludes\functions-hooks.php:68
actionmail_picker_subscriber_source_options_commentsincludes\functions-hooks.php:84
actionsubscriber_source_meta_boxes_saveincludes\functions-hooks.php:125
actionsubscriber_source_options_woo_ordersincludes\functions-hooks.php:141
actionsubscriber_source_meta_boxes_saveincludes\functions-hooks.php:195
actionsubscriber_source_options_ninjaform_subincludes\functions-hooks.php:210
actionsubscriber_source_meta_boxes_saveincludes\functions-hooks.php:245
actionsubscriber_source_options_newsletter_subscribersincludes\functions-hooks.php:261
actionsubscriber_source_meta_boxes_saveincludes\functions-hooks.php:296
filtermail_picker_send_mail_via_api_smtp2goincludes\functions-send-mail.php:6
filtermail_picker_send_mail_via_api_mandrillincludes\functions-send-mail.php:81
filtermail_picker_send_mail_via_api_sendpulseincludes\functions-send-mail.php:163
filtermail_picker_send_mail_via_api_mailjetincludes\functions-send-mail.php:247
filtermail_picker_send_mail_via_api_postmarkincludes\functions-send-mail.php:376
filtermail_picker_send_mail_via_api_pepipostincludes\functions-send-mail.php:449
filtermail_picker_send_mail_via_api_smtpcomincludes\functions-send-mail.php:526
filtermail_picker_send_mail_via_api_sendgridincludes\functions-send-mail.php:631
filterwp_mail_fromincludes\functions.php:14
filterwp_mail_from_nameincludes\functions.php:28
actionphpmailer_initincludes\functions.php:103
actionmail_picker_campaign_checkincludes\functions.php:193
actionmail_picker_campaign_runningincludes\functions.php:278
actionmail_picker_campaign_send_mailincludes\functions.php:358
filtermanage_edit-mail_campaign_sortable_columnsincludes\functions.php:541
filtermanage_mail_campaign_posts_columnsincludes\functions.php:548
actionmail_picker_mail_campaign_posts_columnincludes\functions.php:588
filtermanage_mail_campaign_posts_columnsincludes\functions.php:622
actionmail_picker_mail_campaign_posts_columnincludes\functions.php:681
filtermanage_subscriber_posts_columnsincludes\functions.php:704
actionmail_picker_subscriber_posts_columnincludes\functions.php:772
filtermanage_subscriber_form_posts_columnsincludes\functions.php:794
actionmail_picker_subscriber_form_posts_columnincludes\functions.php:852
filtermanage_subscriber_source_posts_columnsincludes\functions.php:871
actionmail_picker_manage_subscriber_source_posts_columnincludes\functions.php:932
actionmail_picker_form_element_option_wrapper_startincludes\layout-elements.php:6
actionmail_picker_form_element_wrapper_startincludes\layout-elements.php:112
actionmail_picker_form_element_css_wrapper_startincludes\layout-elements.php:132
actionmail_picker_form_element_option_wrapper_endincludes\layout-elements.php:176
actionmail_picker_form_element_wrapper_endincludes\layout-elements.php:229
actionmail_picker_form_element_option_input_textincludes\layout-elements.php:242
actionmail_picker_form_element_input_textincludes\layout-elements.php:420
actionmail_picker_form_element_css_input_textincludes\layout-elements.php:447
actionmail_picker_form_element_option_input_emailincludes\layout-elements.php:490
actionmail_picker_form_element_input_emailincludes\layout-elements.php:668
actionmail_picker_form_element_css_input_emailincludes\layout-elements.php:692
actionmail_picker_form_element_option_input_numberincludes\layout-elements.php:737
actionmail_picker_form_element_input_numberincludes\layout-elements.php:915
actionmail_picker_form_element_css_input_numberincludes\layout-elements.php:940
actionmail_picker_form_element_option_input_selectincludes\layout-elements.php:981
actionmail_picker_form_element_input_selectincludes\layout-elements.php:1161
actionmail_picker_form_element_css_input_selectincludes\layout-elements.php:1202
actionmail_picker_form_element_option_input_checkboxincludes\layout-elements.php:1245
actionmail_picker_form_element_input_checkboxincludes\layout-elements.php:1423
actionmail_picker_form_element_css_input_checkboxincludes\layout-elements.php:1466
actionmail_picker_form_element_option_input_radioincludes\layout-elements.php:1509
actionmail_picker_form_element_input_radioincludes\layout-elements.php:1688
actionmail_picker_form_element_css_input_radioincludes\layout-elements.php:1731
actionmail_picker_form_element_option_subscriber_emailincludes\layout-elements.php:1777
actionmail_picker_form_element_subscriber_emailincludes\layout-elements.php:1956
actionmail_picker_form_element_css_subscriber_emailincludes\layout-elements.php:1982
actionmail_picker_form_element_option_subscriber_phoneincludes\layout-elements.php:2027
actionmail_picker_form_element_subscriber_phoneincludes\layout-elements.php:2206
actionmail_picker_form_element_css_subscriber_phoneincludes\layout-elements.php:2232
actionmail_picker_form_element_option_subscriber_countryincludes\layout-elements.php:2275
actionmail_picker_form_element_subscriber_countryincludes\layout-elements.php:2454
actionmail_picker_form_element_css_subscriber_countryincludes\layout-elements.php:2480
actionmail_picker_form_element_option_first_nameincludes\layout-elements.php:2522
actionmail_picker_form_element_first_nameincludes\layout-elements.php:2701
actionmail_picker_form_element_css_first_nameincludes\layout-elements.php:2727
actionmail_picker_form_element_option_last_nameincludes\layout-elements.php:2770
actionmail_picker_form_element_last_nameincludes\layout-elements.php:2949
actionmail_picker_form_element_css_last_nameincludes\layout-elements.php:2975
actionmail_picker_form_element_option_subscriber_listincludes\layout-elements.php:3015
actionmail_picker_form_element_subscriber_listincludes\layout-elements.php:3194
actionmail_picker_form_element_css_subscriber_listincludes\layout-elements.php:3220
actionrest_api_initincludes\mail-picker-rest-end-points.php:11
actioninitincludes\mail-picker-rest-end-points.php:12
actioninitincludes\mail-picker-rest-end-points.php:13
actionmail_picker_settings_content_generalincludes\settings-hook.php:7
actionmail_picker_settings_content_test_mailincludes\settings-hook.php:131
actionmail_picker_settings_content_smtpincludes\settings-hook.php:214
actionmail_picker_smtp_other_smtpincludes\settings-hook.php:544
actionmail_picker_smtp_sendgridincludes\settings-hook.php:685
actionmail_picker_smtp_sendinblueincludes\settings-hook.php:785
actionmail_picker_smtp_postmarkincludes\settings-hook.php:892
actionmail_picker_smtp_pepipostincludes\settings-hook.php:977
actionmail_picker_smtp_sparkpostincludes\settings-hook.php:1065
actionmail_picker_smtp_mailgunincludes\settings-hook.php:1107
actionmail_picker_smtp_mailjetincludes\settings-hook.php:1232
actionmail_picker_smtp_sendpulseincludes\settings-hook.php:1354
actionmail_picker_smtp_smtpcomincludes\settings-hook.php:1463
actionmail_picker_smtp_zohomailincludes\settings-hook.php:1620
actionmail_picker_smtp_outlookincludes\settings-hook.php:1731
actionmail_picker_smtp_amazonsesincludes\settings-hook.php:1787
actionmail_picker_smtp_turbosmtpincludes\settings-hook.php:1866
actionmail_picker_smtp_mandrillincludes\settings-hook.php:1961
actionmail_picker_smtp_mailifyincludes\settings-hook.php:2042
actionmail_picker_smtp_smtp2goincludes\settings-hook.php:2069
actionmail_picker_settings_content_subscriber_sourceincludes\settings-hook.php:2168
actionmail_picker_subscriber_source_options_wpformsincludes\settings-hook.php:2382
actionmail_picker_subscriber_source_options_formidableincludes\settings-hook.php:2509
actionmail_picker_subscriber_source_options_forminatorincludes\settings-hook.php:2633
actionmail_picker_subscriber_source_options_calderaincludes\settings-hook.php:2757
actionmail_picker_subscriber_source_options_weformsincludes\settings-hook.php:2877
actionmail_picker_subscriber_source_options_kaliformsincludes\settings-hook.php:2997
actionmail_picker_subscriber_source_options_mailoptinincludes\settings-hook.php:3116
actionmail_picker_subscriber_source_options_email_subscribersincludes\settings-hook.php:3235
actionmail_picker_subscriber_source_options_cf7includes\settings-hook.php:3354
actionmail_picker_subscriber_source_options_newsletterincludes\settings-hook.php:3476
actionmail_picker_settings_content_cron_listincludes\settings-hook.php:3598
actionmail_picker_settings_content_help_supportincludes\settings-hook.php:3688
actionmail_picker_settings_saveincludes\settings-hook.php:3778
actionplugins_loadedmail-picker.php:33
filtercron_schedulesmail-picker.php:34
actionadmin_enqueue_scriptsmail-picker.php:35
actionwp_enqueue_scriptsmail-picker.php:164
actionadmin_enqueue_scriptsmail-picker.php:165
actionmail_picker_formtemplates\mail-picker-form\mail-picker-form.php:7
actionmail_picker_subscriber_submitted_successtemplates\mail-picker-form\mail-picker-form.php:172
actionmail_picker_subscriber_submitted_existtemplates\mail-picker-form\mail-picker-form.php:319
actionmail_picker_form_maintemplates\mail-picker-form\mail-picker-form.php:338
actionmail_picker_form_maintemplates\mail-picker-form\mail-picker-form.php:404

Scheduled Events 2

mail_picker_campaign_check
mail_picker_subscriber_source_check
Maintenance & Trust

PickPlugins Mail Picker — Email Marketing & Newsletters Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 10, 2026
PHP min version
Downloads2K

Community Trust

Rating60/100
Number of ratings1
Active installs10
Alternatives

PickPlugins Mail Picker — Email Marketing & Newsletters Alternatives

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Drip for WordPress

Drip for WordPress

email-marketing

A
85

Do you sell online? If so you need our new Drip for WooCommerce Plugin instead of this one. It includes your entire product catalog, order history int &hellip;

2K No CVEs
Email Marketing for WordPress and WooCommerce – Retainful

Email Marketing for WordPress and WooCommerce – Retainful

retainful

A
100

Email marketing, newsletters for WordPress and WooCommerce. Send newsletters and campaigns, recover abandoned carts, signup forms, and more

200 No CVEs
Email Marketing by SendX

Email Marketing by SendX

email-marketing-by-sendx

A
85

SendX is a lead-generation and marketing automation platform to grow your web business. In simple words it is marketing for non-marketers.

100 No CVEs
MailCamp

MailCamp

mailcamp

A
100

Quickly add a MailCamp signup form to your WordPress site to enhance your email marketing efforts.

100 No CVEs
Developer Profile

PickPlugins Mail Picker — Email Marketing & Newsletters Developer Profile

PickPlugins

14 plugins · 94K total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
330 days
View full developer profile
Detection Fingerprints

How We Detect PickPlugins Mail Picker — Email Marketing & Newsletters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mail-picker/assets/admin/css/jquery-ui.css/wp-content/plugins/mail-picker/assets/settings-tabs/settings-tabs.css/wp-content/plugins/mail-picker/assets/global/css/font-awesome-4.css/wp-content/plugins/mail-picker/assets/global/css/font-awesome-5.css/wp-content/plugins/mail-picker/assets/admin/js/scripts.js/wp-content/plugins/mail-picker/assets/settings-tabs/settings-tabs.js/wp-content/plugins/mail-picker/assets/admin/js/jquery.lazy.js
Script Paths
https://www.google.com/recaptcha/api.js
Version Parameters
/assets/admin/js/scripts.js?ver=/assets/settings-tabs/settings-tabs.css?ver=/assets/settings-tabs/settings-tabs.js?ver=/assets/global/css/font-awesome-4.css?ver=/assets/global/css/font-awesome-5.css?ver=/assets/admin/js/jquery.lazy.js?ver=

HTML / DOM Fingerprints

CSS Classes
mail-picker-form
Data Attributes
data-mailpicker-typedata-mailpicker-postid
JS Globals
mail_picker_ajax
Shortcode Output
[mail_picker_form]
FAQ

Frequently Asked Questions about PickPlugins Mail Picker — Email Marketing & Newsletters