WP-Safety

Mailgun for WordPress Security & Risk Analysis

wordpress.org/plugins/mailgun

Easily send email from your WordPress site through Mailgun using the HTTP API or SMTP.

80K active installs v2.1.10 PHP 7.4+ WP 5.6+ Updated Jan 6, 2026
apihttpmailmailgunsmtp
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Mailgun for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

Mailgun for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The Mailgun plugin version 2.1.10 exhibits a generally good security posture with several strengths. The absence of known CVEs and a clean vulnerability history suggest a commitment to security and a lack of previously discovered significant flaws. The code analysis reveals a strong adherence to secure coding practices, including 100% of SQL queries using prepared statements and a high rate of output escaping (94%). This indicates a proactive approach to preventing common vulnerabilities like SQL injection and cross-site scripting.

However, there are notable concerns regarding the plugin's attack surface. Specifically, two out of three AJAX handlers lack authentication checks. This represents a significant risk as any user, including unauthenticated ones, could potentially trigger these handlers, leading to unintended actions or information disclosure. While no critical or high severity taint flows were detected, and dangerous functions are absent, the unprotected AJAX endpoints are a clear area of weakness that could be exploited.

In conclusion, while the plugin's track record and general code quality are positive, the presence of unprotected AJAX endpoints presents a tangible security risk that requires immediate attention. The lack of discovered vulnerabilities is encouraging, but this does not negate the potential dangers posed by the identified insecure entry points. Developers should prioritize implementing proper authentication and authorization checks on these handlers to strengthen the plugin's overall security.

Key Concerns

  • Unprotected AJAX handlers
Vulnerabilities
None known

Mailgun for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Mailgun for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
98 escaped
Nonce Checks
1
Capability Checks
3
File Operations
4
External Requests
2
Bundled Libraries
0

Output Escaping

94% escaped104 total outputs
Attack Surface
2 unprotected

Mailgun for WordPress Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 3

authwp_ajax_mailgun-testincludes\admin.php:62
noprivwp_ajax_add_listmailgun.php:557
authwp_ajax_add_listmailgun.php:558

Shortcodes 1

[mailgun] mailgun.php:542
WordPress Hooks 10
actionadmin_initincludes\admin.php:56
actionadmin_menuincludes\admin.php:59
actionadmin_noticesincludes\admin.php:258
filterwp_mail_fromincludes\mg-filter.php:342
filterwp_mail_fromincludes\mg-filter.php:358
filtermg_mutate_to_rcpt_varsincludes\wp-mail-api.php:61
filterwp_mailmailgun.php:102
actionphpmailer_initmailgun.php:103
actionwp_mail_failedmailgun.php:104
actionwidgets_initmailgun.php:556
Maintenance & Trust

Mailgun for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 6, 2026
PHP min version7.4
Downloads2.6M

Community Trust

Rating76/100
Number of ratings48
Active installs80K
Alternatives

Mailgun for WordPress Alternatives

Email Override for Mailgun

Email Override for Mailgun

email-override-mailgun

A
100

Replaces WordPress wp_mail() with MailGun's API. Adds a settings page to manage API key, sender info, and test email functionality.

0 No CVEs
Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

site-mailer

A
98

Effortlessly manage transactional emails with Site Mailer. High deliverability, logs and statistics, and no SMTP plugins needed.

200K 1 CVE
WP Mailgun SMTP

WP Mailgun SMTP

wp-mailgun-smtp

C
63

An SMTP service is must in order to resolve the deliverability issues, limitations, you face while sending emails through your WordPress website.

1K 1 unpatched
Mail Baby SMTP

Mail Baby SMTP

mail-baby-smtp

A
99

Send email from your WordPress site using Mail.baby, SMTP.com, Gmail, SendGrid, Mailgun, Sendinblue and more Api's and Configure wp_mail() with them.

700 1 CVE
Send Emails with Resend

Send Emails with Resend

send-emails-with-resend

A
100

Resend for WordPress integrates the Resend.com API, replacing PHPMailer to ensure reliable email delivery through Resend.com's robust service.

400 No CVEs
Developer Profile

Mailgun for WordPress Developer Profile

Mailgun

1 plugin · 80K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Mailgun for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailgun/assets/js/admin.js/wp-content/plugins/mailgun/assets/js/frontend.js/wp-content/plugins/mailgun/assets/css/admin.css
Script Paths
/wp-content/plugins/mailgun/assets/js/admin.js/wp-content/plugins/mailgun/assets/js/frontend.js
Version Parameters
mailgun/assets/js/admin.js?ver=mailgun/assets/js/frontend.js?ver=mailgun/assets/css/admin.css?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- mailgun-wordpress-plugin - Sending mail from Wordpress using Mailgun --><!-- Copyright (C) 2016 Mailgun, et al. --><!-- This program is free software; you can redistribute it and/or modify --><!-- it under the terms of the GNU General Public License as published by -->+28 more
FAQ

Frequently Asked Questions about Mailgun for WordPress