WP-Safety

MailHawk — Simple SMTP, Email Delivery, and Email Logging Security & Risk Analysis

wordpress.org/plugins/mailhawk

An easier SMTP service for WordPress. Improve your WordPress email deliverability!

400 active installs v1.3.5 PHP 7.0+ WP 5.0+ Updated Sep 15, 2025
emailsmtpsmtp-pluginwordpress-smtpwp-mail-smtp
97
A · Safe
CVEs total1
Unpatched0
Last CVEApr 9, 2025
Plugin page Download
Safety Verdict

Is MailHawk — Simple SMTP, Email Delivery, and Email Logging Safe to Use in 2026?

Generally Safe

Score 97/100

MailHawk — Simple SMTP, Email Delivery, and Email Logging has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 9, 2025Updated 8mo ago
Risk Assessment

The MailHawk plugin v1.3.5 exhibits a mixed security posture. While it demonstrates good practices in areas like prepared SQL statements and output escaping, there are significant concerns regarding its attack surface and past vulnerabilities. The presence of two AJAX handlers, one of which lacks authentication checks, and a REST API route without permission callbacks, creates direct entry points for potential attackers. The static analysis also flagged the use of the `unserialize` function, a known source of vulnerabilities if not handled with extreme care, though no specific exploit flows were identified in the taint analysis. The vulnerability history is a major red flag, indicating a past critical vulnerability related to Remote File Inclusion. Although this CVE is currently unpatched, the fact that it's in the past and not marked as currently unpatched is a slight positive, but the pattern of past critical flaws warrants caution. Overall, the plugin has some solid security implementations but is undermined by unprotected entry points and a history of critical security issues.

Key Concerns

  • Unprotected AJAX handler identified
  • Unprotected REST API route identified
  • Use of 'unserialize' function
  • Past critical vulnerability (RFI)
Vulnerabilities
1 published

MailHawk — Simple SMTP, Email Delivery, and Email Logging Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

CVE-2025-31015critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WordPress SMTP Service, Email Delivery Solved! — MailHawk <= 1.3.1 - Unauthenticated Local File Inclusion

Apr 9, 2025 Patched in 1.3.2 (8d)
Version History

MailHawk — Simple SMTP, Email Delivery, and Email Logging Release Timeline

v1.3.5Current
v1.3.4.1
v1.3.4
v1.3.3
v1.3.2
v1.3.11 CVE
CVE-2025-31015
v1.31 CVE
CVE-2025-31015
v1.2.41 CVE
CVE-2025-31015
v1.2.31 CVE
CVE-2025-31015
v1.2.21 CVE
CVE-2025-31015
v1.2.11 CVE
CVE-2025-31015
v1.21 CVE
CVE-2025-31015
v1.1.21 CVE
CVE-2025-31015
v1.1.11 CVE
CVE-2025-31015
v1.11 CVE
CVE-2025-31015
v1.0.151 CVE
CVE-2025-31015
v1.0.141 CVE
CVE-2025-31015
v1.0.131 CVE
CVE-2025-31015
v1.0.121 CVE
CVE-2025-31015
v1.0.111 CVE
CVE-2025-31015
Code Analysis
Analyzed Mar 16, 2026

MailHawk — Simple SMTP, Email Delivery, and Email Logging Code Analysis

Dangerous Functions
1
Raw SQL Queries
5
22 prepared
Unescaped Output
24
147 escaped
Nonce Checks
15
Capability Checks
8
File Operations
4
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize( $serialized );includes\classes\base-object.php:346

SQL Query Safety

81% prepared27 total queries

Output Escaping

86% escaped171 total outputs
Attack Surface
2 unprotected

MailHawk — Simple SMTP, Email Delivery, and Email Logging Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_mailhawk_preview_emailadmin\admin.php:56
authwp_ajax_mailhawk_groundhogg_remote_installincludes\groundhogg.php:22

REST API Routes 1

GET/wp-json/mailhawk/listenapi\webhook-listener.php:21
WordPress Hooks 61
actionadmin_enqueue_scriptsadmin\admin.php:44
actionadmin_menuadmin\admin.php:47
actionadmin_noticesadmin\admin.php:50
actionadmin_noticesadmin\admin.php:51
actionload-tools_page_mailhawkadmin\admin.php:54
actionmailhawk_noticesadmin\admin.php:92
actionmailhawk_noticesadmin\admin.php:101
actionmailhawk_noticesadmin\admin.php:271
actionmailhawk_noticesadmin\admin.php:277
actionmailhawk_noticesadmin\admin.php:281
actionmailhawk_noticesadmin\admin.php:308
actionmailhawk_noticesadmin\admin.php:320
actionwp_mail_failedadmin\admin.php:365
actionmailhawk_noticesadmin\admin.php:372
actionmailhawk_noticesadmin\admin.php:389
actionmailhawk_noticesadmin\admin.php:401
actionmailhawk_noticesadmin\admin.php:475
actionwp_mail_failedadmin\admin.php:492
actionmailhawk_noticesadmin\admin.php:501
actionmailhawk_noticesadmin\admin.php:503
actionmailhawk_noticesadmin\admin.php:527
actionmailhawk_noticesadmin\admin.php:563
actionmailhawk_noticesadmin\admin.php:589
actionwp_mail_failedadmin\admin.php:604
actionmailhawk_noticesadmin\admin.php:614
actionmailhawk_noticesadmin\admin.php:629
actionmailhawk_noticesadmin\admin.php:654
actionmailhawk_noticesadmin\admin.php:668
actionmailhawk_noticesadmin\admin.php:669
filteradmin_footer_textadmin\admin.php:670
actionwp_mail_failedincludes\classes\email-log-item.php:78
actionphpmailer_initincludes\classes\email-log-item.php:79
actioninitincludes\cron-events.php:11
actionmailhawk_trim_log_entriesincludes\cron-events.php:13
actionmailhawk_trim_blacklist_entriesincludes\cron-events.php:14
actionmailhawk_retry_failed_emailsincludes\cron-events.php:15
filterwp_mail_fromincludes\functions.php:709
filterwp_mail_from_nameincludes\functions.php:710
actionwp_mail_failedincludes\functions.php:741
actionfue_before_test_email_sendincludes\functions.php:746
actionadmin_noticesincludes\pluggable.php:24
actionrest_api_initincludes\plugin.php:155
filterfue_mail_methodincludes\plugin.php:160
actionplugins_loadedincludes\plugin.php:198
actionmailhawk/send_quarantine_noticeincludes\quarantine.php:13
filtermailhawk/assess_riskincludes\quarantine.php:14
actionmailhawk/wp_mail/sentincludes\telemetry.php:10
actioninitincludes\telemetry.php:11
actionmailhawk/monthlyincludes\telemetry.php:12
actionadmin_initincludes\utils\installer.php:20
actionwp_insert_siteincludes\utils\installer.php:25
filterwpmu_drop_tablesincludes\utils\installer.php:26
actionactivated_pluginincludes\utils\installer.php:27
actionadmin_initincludes\utils\updater.php:31
actionadmin_initincludes\utils\updater.php:32
actionmailhawk/activatedincludes\utils\updater.php:35
actionadmin_noticesincludes\utils\updater.php:229
actionadmin_noticesincludes\utils\updater.php:244
actionplugins_loadedmailhawk.php:38
actionadmin_noticesmailhawk.php:43
actionadmin_noticesmailhawk.php:45

Scheduled Events 2

mailhawk/send_quarantine_notice
mailhawk/monthly
Maintenance & Trust

MailHawk — Simple SMTP, Email Delivery, and Email Logging Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 15, 2025
PHP min version7.0
Downloads89K

Community Trust

Rating68/100
Number of ratings10
Active installs400
Alternatives

MailHawk — Simple SMTP, Email Delivery, and Email Logging Alternatives

Solid Mail – SMTP email and logging made by SolidWP

Solid Mail – SMTP email and logging made by SolidWP

wp-smtp

A
95

Email deliverability made SOLID. Connect to your chosen email provider with an intuitive set-it-and-forget-it SMTP plugin.

70K 2 CVEs
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

yaysmtp

A
90

Send WordPress emails successfully with WP Mail SMTP via your favorite mailer

10K 8 CVEs
Swift SMTP (formerly Welcome Email Editor)

Swift SMTP (formerly Welcome Email Editor)

welcome-email-editor

A
99

Swift SMTP is a free & simple SMTP Plugin for WordPress.

8K 2 CVEs
Bit SMTP – Easy SMTP Solution with Email Logs

Bit SMTP – Easy SMTP Solution with Email Logs

bit-smtp

A
99

Short Description

2K 1 CVE
SmartSMTP

SmartSMTP

smart-smtp

A
100

Reliable Email Delivery with SmartSMTP

2K No CVEs
Developer Profile

MailHawk — Simple SMTP, Email Delivery, and Email Logging Developer Profile

Adrian Tobey

7 plugins · 6K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
249 days
View full developer profile
Detection Fingerprints

How We Detect MailHawk — Simple SMTP, Email Delivery, and Email Logging

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailhawk/assets/css/admin.css/wp-content/plugins/mailhawk/assets/css/admin-settings.css/wp-content/plugins/mailhawk/assets/css/email-logs.css/wp-content/plugins/mailhawk/assets/css/frontend.css/wp-content/plugins/mailhawk/assets/js/admin.js/wp-content/plugins/mailhawk/assets/js/admin-settings.js/wp-content/plugins/mailhawk/assets/js/email-logs.js/wp-content/plugins/mailhawk/assets/js/frontend.js
Script Paths
/wp-content/plugins/mailhawk/assets/js/admin.js/wp-content/plugins/mailhawk/assets/js/admin-settings.js/wp-content/plugins/mailhawk/assets/js/email-logs.js/wp-content/plugins/mailhawk/assets/js/frontend.js
Version Parameters
mailhawk/assets/css/admin.css?ver=mailhawk/assets/css/admin-settings.css?ver=mailhawk/assets/css/email-logs.css?ver=mailhawk/assets/css/frontend.css?ver=mailhawk/assets/js/admin.js?ver=mailhawk/assets/js/admin-settings.js?ver=mailhawk/assets/js/email-logs.js?ver=mailhawk/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
mailhawk-brandingmailhawk-admin-wrappermailhawk-email-log-tablemailhawk-log-preview-modalmailhawk-setup-wizard
HTML Comments
<!-- MailHawk -->
Data Attributes
data-mailhawk-email-iddata-mailhawk-modal-targetdata-mailhawk-nonce
JS Globals
MailHawkAdminMailHawkFrontendmailhawk_preview_data
REST Endpoints
/wp-json/mailhawk/v1/preview-email/wp-json/mailhawk/v1/logs
FAQ

Frequently Asked Questions about MailHawk — Simple SMTP, Email Delivery, and Email Logging