WP-Safety

Pigeon Pack Security & Risk Analysis

wordpress.org/plugins/pigeon-pack

Free and easy email marketing, newsletters, and campaigns; built into your WordPress dashboard!

10 active installs v1.3.0 PHP + WP 3.4+ Updated Feb 4, 2017
campaignemailemail-marketingnewsletterwidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Pigeon Pack Safe to Use in 2026?

Generally Safe

Score 85/100

Pigeon Pack has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The "pigeon-pack" v1.3.0 plugin demonstrates a generally good security posture with a well-defined attack surface and strong adherence to WordPress security best practices in several areas. The complete absence of known CVEs and unpatched vulnerabilities in its history is a significant positive, suggesting a history of responsible development and maintenance.

However, the static analysis reveals some areas of concern. The presence of the `unserialize` function, while only one instance, is a known risky function that can lead to deserialization vulnerabilities if not handled with extreme care and robust input validation. Furthermore, a substantial 86% of output operations are not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also highlights 6 high-severity flows with unsanitized paths, which directly correlate with potential vulnerabilities, likely XSS or other injection attacks due to the unescaped output.

While the plugin boasts no unpatched vulnerabilities, which is commendable, the static analysis points to inherent risks within the current codebase that could manifest as new vulnerabilities if not addressed. The strengths lie in its minimal attack surface with all entry points seemingly protected and the consistent use of prepared statements for SQL queries. However, the significant number of unescaped outputs and the high-severity taint flows are critical weaknesses that require immediate attention to mitigate the risk of exploitation.

Key Concerns

  • High percentage of unsanitized output flows
  • Dangerous function 'unserialize' found
  • High number of taint flows with unsanitized paths
  • Low percentage of properly escaped outputs
Vulnerabilities
None known

Pigeon Pack Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Pigeon Pack Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
20 prepared
Unescaped Output
102
17 escaped
Nonce Checks
9
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$response = unserialize( wp_remote_retrieve_body( $request ) );class.php:1156

SQL Query Safety

100% prepared20 total queries

Output Escaping

14% escaped119 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

10 flows7 with unsanitized paths
<class> (class.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Pigeon Pack Attack Surface

Entry Points8
Unprotected0

AJAX Handlers 6

authwp_ajax_verifyclass.php:41
authwp_ajax_add_pigeonpack_subscriberlist-post-type.php:1457
noprivwp_ajax_add_pigeonpack_subscriberlist-post-type.php:1458
authwp_ajax_edit_pigeonpack_subscriberlist-post-type.php:1481
authwp_ajax_update_pigeonpack_subscriberlist-post-type.php:1517
authwp_ajax_delete_pigeonpack_subscriberslist-post-type.php:1538

Shortcodes 2

[pigeonpack_subscribe_form] shortcodes.php:25
[pigeonpack_user_optin_form] shortcodes.php:26
WordPress Hooks 32
actioninitcampaign-post-type.php:62
filtermanage_edit-pigeonpack_campaign_columnscampaign-post-type.php:85
filtermanage_pigeonpack_campaign_posts_custom_columncampaign-post-type.php:115
filtermanage_edit-pigeonpack_campaign_sortable_columnscampaign-post-type.php:133
filterposts_clauses_requestcampaign-post-type.php:170
actionsave_post_pigeonpack_campaigncampaign-post-type.php:695
actionafter_delete_postcampaign-post-type.php:804
actionadmin_initclass.php:33
actionadmin_enqueue_scriptsclass.php:35
actionadmin_print_stylesclass.php:36
actionwp_enqueue_scriptsclass.php:37
actionadmin_menuclass.php:39
actiontransition_post_statusclass.php:43
actionwpclass.php:45
actionshow_user_profileclass.php:48
actionedit_user_profileclass.php:49
actionpersonal_options_updateclass.php:50
actionedit_user_profile_updateclass.php:51
actionphpmailer_initfunctions.php:105
actionphpmailer_initfunctions.php:117
actionscheduled_pigeonpack_double_optin_mailfunctions.php:122
actionpre_user_queryfunctions.php:469
actionphpmailer_initfunctions.php:921
actionphpmailer_initfunctions.php:962
actionscheduled_pigeonpack_mailfunctions.php:990
actionscheduled_wp_post_digest_campaignfunctions.php:1114
actioninitlist-post-type.php:63
actionsave_post_pigeonpack_listlist-post-type.php:1013
actionafter_delete_postlist-post-type.php:1561
actionplugins_loadedpigeonpack.php:66
actioninitpigeonpack.php:97
actionwidgets_initwidgets.php:21

Scheduled Events 5

scheduled_pigeonpack_mail
scheduled_pigeonpack_double_optin_mail
scheduled_wp_post_digest_campaign
scheduled_pigeonpack_mail
scheduled_wp_post_digest_campaign
Maintenance & Trust

Pigeon Pack Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedFeb 4, 2017
PHP min version
Downloads5K

Community Trust

Rating76/100
Number of ratings4
Active installs10
Alternatives

Pigeon Pack Alternatives

Drip for WordPress

Drip for WordPress

email-marketing

A
85

Do you sell online? If so you need our new Drip for WooCommerce Plugin instead of this one. It includes your entire product catalog, order history int &hellip;

2K No CVEs
Benchmark Email Lite

Benchmark Email Lite

benchmark-email-lite

A
99

Your Wordpress Site and Email Marketing all in one place!

1K 1 CVE
Newsletter Subscription Form – User Subscriptions Form, Capture Email

Newsletter Subscription Form – User Subscriptions Form, Capture Email

newsletter-subscription-form

A
100

Newsletter Subscription Form for WordPress is the ultimate lead generation, customer acquisition and email marketing plugin to grow and engage your ma &hellip;

1K No CVEs
Email Subscribers – Group Selector

Email Subscribers – Group Selector

email-subscribers-advanced-form

A
85

Add-on for Email Subscribers plugin using which you can provide option to your users to select interested groups in the Subscribe Form.

300 No CVEs
Contact Form 7 – Campaign Monitor Addon

Contact Form 7 – Campaign Monitor Addon

contact-form-7-campaignmonitor-addon

A
85

Add the capability to create newsletter opt-in forms with Contact Form 7. Automatically submit subscribers to predetermined lists in Campaign Monitor.

100 No CVEs
Developer Profile

Pigeon Pack Developer Profile

Lew Ayotte

5 plugins · 270 total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Pigeon Pack

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pigeon-pack/css/pigeonpack-admin.css/wp-content/plugins/pigeon-pack/css/pigeonpack.css/wp-content/plugins/pigeon-pack/js/pigeonpack-admin.js/wp-content/plugins/pigeon-pack/js/pigeonpack.js/wp-content/plugins/pigeon-pack/js/pigeonpack-admin-shortcodes.js/wp-content/plugins/pigeon-pack/images/pigeon-16x16.png
Script Paths
/wp-content/plugins/pigeon-pack/js/pigeonpack-admin.js/wp-content/plugins/pigeon-pack/js/pigeonpack.js/wp-content/plugins/pigeon-pack/js/pigeonpack-admin-shortcodes.js
Version Parameters
pigeon-pack/css/pigeonpack-admin.css?ver=pigeon-pack/css/pigeonpack.css?ver=pigeon-pack/js/pigeonpack-admin.js?ver=pigeon-pack/js/pigeonpack.js?ver=pigeon-pack/js/pigeonpack-admin-shortcodes.js?ver=

HTML / DOM Fingerprints

CSS Classes
pigeonpack-admin-form-fieldpigeonpack-label
HTML Comments
<!-- Premium Plugin Filters --><!-- Main PHP file used to for initial calls to Pigeon Pack classes and functions. --><!-- ATTENTION: This is *only* done during plugin activation hook in this example! --><!-- You should *NEVER EVER* do this on every page load!! -->+4 more
Data Attributes
data-pigeonpack-nonce
JS Globals
pigeonpackPIGEON_PACK_AJAX_URL
Shortcode Output
[pigeon_pack_subscribe_form][pigeon_pack_subscribe_form][pigeon_pack_subscribe_form][pigeon_pack_subscribe_form]
FAQ

Frequently Asked Questions about Pigeon Pack