Does MultiMailer have any unpatched vulnerabilities?

Yes — MultiMailer currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is MultiMailer compatible with WordPress 6.6.5?

According to WordPress.org data, MultiMailer 1.0.3 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

How often is MultiMailer updated?

MultiMailer was last updated on Oct 18, 2024. Frequent updates are generally a positive security signal.

What is MultiMailer's security score?

MultiMailer has a WP-Safety security score of 49/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

MultiMailer Security & Risk Analysis

wordpress.org/plugins/scand-multi-mailer

Send data from one contact form to multiple email addresses or save data into log file.

20 active installs v1.0.3 PHP + WP 5.5.0+ Updated Oct 18, 2024

contact-formemail-logphp-mailerscandltdsmtp

D · High Risk

CVEs total2

Unpatched2

Last CVEApr 9, 2025

Plugin page Download

Safety Verdict

Is MultiMailer Safe to Use in 2026?

High Risk

Score 49/100

MultiMailer carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Apr 9, 2025Updated 1yr ago

Risk Assessment

The scand-multi-mailer plugin v1.0.3 exhibits a mixed security posture. On one hand, it demonstrates good practices by utilizing prepared statements for all SQL queries and by escaping a significant portion of its output. The attack surface appears to be minimal, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are directly exposed without authentication. However, significant concerns arise from the presence of the `unserialize` function, which is notoriously dangerous when handling user-supplied input and can lead to deserialization vulnerabilities. Despite the taint analysis not flagging any critical or high severity flows, the existence of three flows with unsanitized paths is a red flag. The vulnerability history is particularly alarming, with two known medium severity CVEs, both of which are currently unpatched. The recurring types of vulnerabilities, Cross-Site Scripting and Cross-Site Request Forgery, suggest potential weaknesses in input validation and state-changing operation protection. The last reported vulnerability being very recent further underscores the need for immediate attention.

Key Concerns

Unpatched medium severity CVEs
Use of dangerous unserialize function
Flows with unsanitized paths detected
Missing nonce checks
Capability checks missing
Vulnerabilities include XSS and CSRF
Output escaping is not fully implemented
Bundled outdated library (PHPMailer implied)

Vulnerabilities

MultiMailer Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-32517medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MultiMailer <= 1.0.3 - Reflected Cross-Site Scripting

Apr 9, 2025Unpatched

CVE-2025-32505medium · 6.1Cross-Site Request Forgery (CSRF)

MultiMailer <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Apr 9, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

MultiMailer Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize( $row->data );providers\class-provider-repository.php:106

unserialize$data = unserialize( $row->data );providers\class-provider-repository.php:137

Bundled Libraries

PHPMailer

SQL Query Safety

100% prepared3 total queries

Output Escaping

59% escaped49 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

show_form (providers\class-multi-mailer.php:166)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

MultiMailer Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actionadmin_initproviders\class-multi-mailer.php:26

actionadmin_enqueue_scriptsproviders\class-multi-mailer.php:27

actionadmin_menuproviders\class-multi-mailer.php:28

filterwp_mailproviders\class-multi-mailer.php:50

actioninitscand-multi-mailer.php:46

actioninitscand-multi-mailer.php:48

Maintenance & Trust

MultiMailer Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedOct 18, 2024

PHP min version

Downloads7K

Community Trust

Rating100/100

Number of ratings1

Active installs20

Alternatives

MultiMailer Alternatives

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

wp-mail-smtp

Make email delivery easy for WordPress. Connect with SMTP, Gmail, Outlook, SendGrid, Mailgun, SES, Zoho, + more. Rated #1 WordPress SMTP Email plugin.

4.0M 2 CVEs

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

easy-wp-smtp

Make SMTP email sending and delivery easy. Configure Gmail, Outlook, Brevo, SendGrid, Mailgun, SendLayer or connect to any SMTP server.

500K 8 CVEs

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs

WP Mail Logging

wp-mail-logging

Log, view, and resend all emails sent from your WordPress site. Great for resolving email sending issues or keeping a copy for auditing.

300K 6 CVEs

Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

site-mailer

Effortlessly manage transactional emails with Site Mailer. High deliverability, logs and statistics, and no SMTP plugins needed.

200K 1 CVE

Developer Profile

MultiMailer Developer Profile

SCAND

3 plugins · 330 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect MultiMailer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/scand-multi-mailer/css/scand-multi-mailer-admin.css

Script Paths

/wp-content/plugins/scand-multi-mailer/js/scand-multi-mailer-admin.js

Version Parameters

scand-multi-mailer/js/scand-multi-mailer-admin.js?ver=scand-multi-mailer/css/scand-multi-mailer-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

plugin-titlepage-title-action

Data Attributes

data-form-iddata-idname_provider

FAQ

MultiMailer Security & Risk Analysis

Is MultiMailer Safe to Use in 2026?

High Risk

Key Concerns

MultiMailer Security Vulnerabilities

CVEs by Year

Severity Breakdown

MultiMailer Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

MultiMailer Attack Surface

MultiMailer Maintenance & Trust

Maintenance Signals

Community Trust

MultiMailer Alternatives

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

WP Mail Logging

Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

MultiMailer Developer Profile

How We Detect MultiMailer

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about MultiMailer