WP-Safety

MailerLite – Signup forms (official) Security & Risk Analysis

wordpress.org/plugins/official-mailerlite-sign-up-forms

Add newsletter signup forms to your WordPress site. Subscribers will be saved directly to your MailerLite account. Super easy to set up!

100K active installs v1.7.22 PHP 7.2.5+ WP 3.0.1+ Updated Apr 14, 2026
formmailerlitenewslettersubscribewebform
86
A · Safe
CVEs total8
Unpatched0
Last CVEJan 28, 2026
Plugin page Download
Safety Verdict

Is MailerLite – Signup forms (official) Safe to Use in 2026?

Generally Safe

Score 86/100

MailerLite – Signup forms (official) has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

8 known CVEsLast CVE: Jan 28, 2026Updated 1mo ago
Risk Assessment

The "official-mailerlite-sign-up-forms" plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query handling and includes a reasonable number of nonce and capability checks, significant concerns remain. The presence of unprotected AJAX handlers presents a direct attack surface that could be exploited by unauthenticated users. Furthermore, the taint analysis revealed two high-severity flows with unsanitized paths, indicating potential vulnerabilities that could lead to data compromise or unauthorized actions. The plugin's vulnerability history is a major red flag, with a substantial number of past CVEs, including critical and high-severity issues. The common vulnerability types like Missing Authorization, CSRF, XSS, and SQL Injection, coupled with a recent critical vulnerability, suggest a pattern of recurring security weaknesses that have not been fully addressed.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Critical past CVE
  • High past CVE
  • Medium past CVEs (5)
  • Low output escaping
  • Dangerous function (unserialize)
  • Bundled library (TinyMCE)
Vulnerabilities
8 published

MailerLite – Signup forms (official) Security Vulnerabilities

CVEs by Year

2 CVEs in 2020
2020
2 CVEs in 2022
2022
2 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
6

8 total CVEs

CVE-2026-25420medium · 4.3Missing Authorization

MailerLite – Signup forms (official) <= 1.7.18 - Missing Authorization

Jan 28, 2026 Patched in 1.7.19 (97d)
CVE-2025-13993medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 11, 2025 Patched in 1.7.17 (1d)
CVE-2024-1386medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailerLite – Signup forms (official) 1.5.0 - 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 29, 2024 Patched in 1.7.7 (4d)
CVE-2024-2797medium · 5.3Missing Authorization

MailerLite – Signup forms (official) <= 1.7.6 - Missing Authorization

Apr 29, 2024 Patched in 1.7.7 (4d)
CVE-2022-33201high · 8.8Cross-Site Request Forgery (CSRF)

MailerLite – Signup forms (official) <= 1.5.7 - Cross-Site Request Forgery

Aug 1, 2022 Patched in 1.5.8 (540d)
CVE-2022-1604medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailerLite - Signup forms <= 1.5.3 - Reflected Cross-Site Scripting

May 18, 2022 Patched in 1.5.4 (615d)
WF-ec9cd4a8-286e-43d7-8cb6-6cc363800e20-official-mailerlite-sign-up-formscritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MailerLite Signup Forms < 1.4.4 - Unauthenticated SQL Injection

May 22, 2020 Patched in 1.4.4 (1341d)
WF-f3b79fab-208f-4354-89ea-508290dcd851-official-mailerlite-sign-up-formsmedium · 5.4Cross-Site Request Forgery (CSRF)

MailerLite – Signup forms <= 1.4.4 - Cross-Site Request Forgery

May 22, 2020 Patched in 1.4.5 (1341d)
Version History

MailerLite – Signup forms (official) Release Timeline

v1.7.22Current
v1.7.21
v1.7.205 files changed
v1.7.194 files changed
v1.7.181 CVE2 files changed
CVE-2026-25420
v1.7.171 CVE3 files changed
CVE-2026-25420
v1.7.162 CVEs4 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.152 CVEs2 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.142 CVEs3 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.132 CVEs3 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.122 CVEs2 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.112 CVEs13 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.102 CVEs2 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.92 CVEs13 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.82 CVEs45 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.72 CVEs5 files changed
CVE-2025-13993 CVE-2026-25420
v1.7.64 CVEs3 files changed
CVE-2024-1386 CVE-2025-13993 CVE-2024-2797 +1 more
v1.7.54 CVEs3 files changed
CVE-2024-1386 CVE-2025-13993 CVE-2024-2797 +1 more
v1.7.44 CVEs2 files changed
CVE-2024-1386 CVE-2025-13993 CVE-2024-2797 +1 more
v1.7.34 CVEs9 files changed
CVE-2024-1386 CVE-2025-13993 CVE-2024-2797 +1 more
Code Analysis
Analyzed Mar 16, 2026

MailerLite – Signup forms (official) Code Analysis

Dangerous Functions
7
Raw SQL Queries
1
20 prepared
Unescaped Output
184
42 escaped
Nonce Checks
10
Capability Checks
5
File Operations
0
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$form->data = unserialize( $form->data );src\Controllers\AdminController.php:108
unserialize$form->data = unserialize($form->data);src\Controllers\AdminController.php:439
unserialize$form->data = unserialize( $form->data );src\Modules\Form.php:109
unserialize$form_data = unserialize($form->data);src\Modules\Form.php:239
unserialize$data = unserialize( $form->data );src\Modules\Gutenberg.php:92
unserialize$form_data = unserialize( $form->data );src\Modules\Shortcode.php:150
unserialize$form_data = unserialize( $form->data );src\Modules\Widget.php:49

Bundled Libraries

TinyMCE

SQL Query Safety

95% prepared21 total queries

Output Escaping

19% escaped226 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

17 flows6 with unsanitized paths
view (src\Admin\Views\EditCustomView.php:35)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

MailerLite – Signup forms (official) Attack Surface

Entry Points11
Unprotected3

AJAX Handlers 10

authwp_ajax_mailerlite_get_more_groupssrc\Admin\Hooks.php:35
noprivwp_ajax_mailerlite_subscribe_formsrc\Modules\Form.php:43
authwp_ajax_mailerlite_subscribe_formsrc\Modules\Form.php:47
authwp_ajax_ml_create_noncesrc\Modules\Form.php:52
noprivwp_ajax_ml_create_noncesrc\Modules\Form.php:57
authwp_ajax_mailerlite_gutenberg_formssrc\Modules\Gutenberg.php:41
authwp_ajax_mailerlite_gutenberg_form_previewsrc\Modules\Gutenberg.php:46
authwp_ajax_mailerlite_gutenberg_form_preview2src\Modules\Gutenberg.php:51
authwp_ajax_mailerlite_tinymce_windowsrc\Modules\Shortcode.php:23
authwp_ajax_mailerlite_redirect_to_form_editsrc\Modules\Shortcode.php:28

Shortcodes 1

[mailerlite_form] src\Modules\Shortcode.php:16
WordPress Hooks 27
actionadmin_menusrc\Admin\Hooks.php:28
actionadmin_enqueue_scriptssrc\Admin\Hooks.php:49
actionadmin_noticessrc\Admin\Settings.php:31
actionadmin_noticessrc\Admin\Settings.php:41
actionadmin_noticessrc\Admin\Settings.php:67
actionadmin_noticessrc\Admin\Settings.php:76
actionadmin_noticessrc\Admin\Settings.php:109
actionadmin_noticessrc\Admin\Settings.php:119
actionadmin_noticessrc\Admin\Settings.php:138
actionadmin_noticessrc\Admin\Settings.php:148
actionadmin_noticessrc\Controllers\AdminController.php:80
filterwp_default_editorsrc\Controllers\AdminController.php:111
actionadmin_noticessrc\Controllers\AdminController.php:269
actionadmin_noticessrc\Core.php:72
actionadmin_noticessrc\Core.php:84
actioninitsrc\Hooks.php:53
actionwp_headsrc\Hooks.php:69
actionwp_headsrc\Hooks.php:77
actioninitsrc\Hooks.php:83
actionwp_enqueue_scriptssrc\Hooks.php:90
actioninitsrc\Hooks.php:97
actioninitsrc\Hooks.php:103
actioninitsrc\Hooks.php:109
actionwidgets_initsrc\Hooks.php:115
actionenqueue_block_editor_assetssrc\Modules\Gutenberg.php:35
filtermce_buttonssrc\Modules\Shortcode.php:34
filtermce_external_pluginssrc\Modules\Shortcode.php:40
Maintenance & Trust

MailerLite – Signup forms (official) Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 14, 2026
PHP min version7.2.5
Downloads2.2M

Community Trust

Rating60/100
Number of ratings40
Active installs100K
Alternatives

MailerLite – Signup forms (official) Alternatives

Enormail Sign Up Forms

Enormail Sign Up Forms

enormail-sign-up-forms

A
92

Add an Enormail signup form to your Wordpress website and start growing your list.

400 No CVEs
EmailSystem

EmailSystem

emailsystem

A
100

Use a Drag and Drop Form Builder to create Subscription Forms for the EmailSystem email marketing platform.

20 No CVEs
MC4WP: Mailchimp for WordPress

MC4WP: Mailchimp for WordPress

mailchimp-for-wp

A
92

The #1 Mailchimp plugin for WordPress. Allows you to add a multitude of newsletter sign-up methods to your site.

1.0M 11 CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

B
83

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Developer Profile

MailerLite – Signup forms (official) Developer Profile

MailerLite

3 plugins · 132K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
334 days
View full developer profile
Detection Fingerprints

How We Detect MailerLite – Signup forms (official)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/official-mailerlite-sign-up-forms/assets/css/mailerlite.css/wp-content/plugins/official-mailerlite-sign-up-forms/assets/css/mailerlite_forms.css/wp-content/plugins/official-mailerlite-sign-up-forms/assets/js/mailerlite_block.js
Script Paths
/wp-content/plugins/official-mailerlite-sign-up-forms/assets/js/mailerlite_block.js
Version Parameters
official-mailerlite-sign-up-forms/assets/css/mailerlite.css?ver=official-mailerlite-sign-up-forms/assets/css/mailerlite_forms.css?ver=official-mailerlite-sign-up-forms/assets/js/mailerlite_block.js?ver=

HTML / DOM Fingerprints

CSS Classes
mailerlite-form-block
JS Globals
mailerlite_form_block
REST Endpoints
/wp-json/mailerlite/v1/gutenberg-forms/wp-json/mailerlite/v1/gutenberg-form-preview/wp-json/mailerlite/v1/gutenberg-form-preview2
FAQ

Frequently Asked Questions about MailerLite – Signup forms (official)