WP-Safety

P2 By Email Security & Risk Analysis

wordpress.org/plugins/p2-by-email

Use P2? Use email? Use both!

10 active installs v1.0 PHP + WP 3.4+ Updated May 9, 2013
email-notificationsgtdp2productivityworkflow
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is P2 By Email Safe to Use in 2026?

Generally Safe

Score 85/100

P2 By Email has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The 'p2-by-email' plugin v1.0 demonstrates a generally strong security posture based on the provided static analysis. The complete absence of identifiable attack surface points like AJAX handlers, REST API routes, shortcodes, and cron events is a significant positive, as is the lack of dangerous functions, file operations, and external HTTP requests. The code also shows good practices with 100% of SQL queries using prepared statements and a high percentage (81%) of output being properly escaped. The presence of at least one capability check further indicates an attempt at securing functionalities.

However, the analysis reveals a notable absence of nonce checks across all entry points, which is a significant concern. While the attack surface is reported as zero, this absence of nonces on any potential future or currently undetected entry points could allow for Cross-Site Request Forgery (CSRF) attacks if new functionalities are added or if the reported attack surface is incomplete. The zero taint flows and zero known CVEs suggest a clean history and code, which is positive, but the lack of nonce checks represents a foundational security gap that could be exploited. The plugin's reliance on a single capability check might also be insufficient if it doesn't adequately restrict access to all sensitive operations.

In conclusion, 'p2-by-email' v1.0 has several strengths in its code quality and minimal attack surface. The vulnerability history is clean. The primary weakness lies in the complete lack of nonce checks, which is a critical security oversight for any plugin, regardless of its current attack surface. This needs to be addressed to improve the overall security posture.

Key Concerns

  • Missing nonce checks on all entry points
  • High percentage of unescaped output (19%)
Vulnerabilities
None known

P2 By Email Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

P2 By Email Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
22 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

81% escaped27 total outputs
Attack Surface

P2 By Email Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 17
actionp2be_after_setup_actionsinc\class-p2be-email-replies.php:9
actioninitinc\class-p2be-email-replies.php:14
filterp2be_emails_reply_to_nameinc\class-p2be-email-replies.php:23
filterp2be_emails_reply_to_emailinc\class-p2be-email-replies.php:24
actionp2be_after_setup_actionsinc\class-p2be-emails.php:8
actionpublish_postinc\class-p2be-emails.php:18
actionwp_insert_commentinc\class-p2be-emails.php:19
filterpre_option_comments_notifyinc\class-p2be-emails.php:22
filterthe_titleinc\class-p2be-emails.php:90
filterthe_titleinc\class-p2be-emails.php:115
actionp2be_after_setup_actionsinc\class-p2be-settings.php:13
actionedit_user_profileinc\class-p2be-settings.php:18
actionshow_user_profileinc\class-p2be-settings.php:19
actionpersonal_options_updateinc\class-p2be-settings.php:21
actionedit_user_profile_updateinc\class-p2be-settings.php:22
filterp2be_emails_sent_postinc\class-p2be-wp-cli.php:32
actionplugins_loadedp2-by-email.php:120
Maintenance & Trust

P2 By Email Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1
Last updatedMay 9, 2013
PHP min version
Downloads39K

Community Trust

Rating100/100
Number of ratings4
Active installs10
Alternatives

P2 By Email Alternatives

P2 Resolved Posts

P2 Resolved Posts

p2-resolved-posts

A
85

Lightweight GTD for the P2 WordPress theme.

10 No CVEs
AdMinimal Bar – Minimize the Admin Bar

AdMinimal Bar – Minimize the Admin Bar

adminimal-bar

A
85

AdMinimal Bar is designed to streamline your workflow and enhance productivity. With AdMinimal Bar, you can minimize the WordPress admin bar on the fr …

10 No CVEs
REDSHAPE Easy Labels

REDSHAPE Easy Labels

redshape-easy-labels

A
100

Organize content with colored labels, notes, and dashboard widgets with 5 visualization types.

10 No CVEs
Mailchimp for WooCommerce

Mailchimp for WooCommerce

mailchimp-for-woocommerce

A
99

Connect your store to your Mailchimp audience to track sales, create targeted emails, send abandoned cart emails, and more.

300K 2 CVEs
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

post-expirator

A
95

PublishPress Future can make scheduled changes to your content. You can unpublish posts, move posts to a new status, update the categories, and more.

100K 5 CVEs
Developer Profile

P2 By Email Developer Profile

Daniel Bachhuber

9 plugins · 51K total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect P2 By Email

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/p2-by-email/inc/what-the-email/what-the-email.php

HTML / DOM Fingerprints

Data Attributes
p2be_plugin_basennamep2be_plugin_dir_pathp2be_plugin_dir_urlp2be_emails_from_namep2be_email_replies_enabledp2be_emails_reply_to_name+1 more
FAQ

Frequently Asked Questions about P2 By Email