Does Sender by BestWebSoft have any unpatched vulnerabilities?

No. All known vulnerabilities in Sender by BestWebSoft have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sender by BestWebSoft compatible with WordPress 6.8.5?

According to WordPress.org data, Sender by BestWebSoft 1.4.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Sender by BestWebSoft updated?

Sender by BestWebSoft was last updated on Jun 5, 2025. Frequent updates are generally a positive security signal.

What is Sender by BestWebSoft's security score?

Sender by BestWebSoft has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sender by BestWebSoft Security & Risk Analysis

wordpress.org/plugins/sender

Send bulk email messages to WordPress users. Custom templates, advanced settings and detailed reports.

90 active installs v1.4.1 PHP + WP 5.6+ Updated Jun 5, 2025

mail-sendermail-sender-pluginmailoutsendersender-plugin

A · Safe

CVEs total1

Unpatched0

Last CVEAug 20, 2019

Plugin page Download

Safety Verdict

Is Sender by BestWebSoft Safe to Use in 2026?

Generally Safe

Score 100/100

Sender by BestWebSoft has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 20, 2019Updated 10mo ago

Risk Assessment

The sender plugin version 1.4.1 exhibits a generally good security posture, with a significant majority of SQL queries using prepared statements and a high percentage of output properly escaped. The static analysis also shows a healthy number of nonce and capability checks relative to the identified entry points. However, there are concerns indicated by the taint analysis, specifically three flows with unsanitized paths. While none were classified as critical or high severity, these represent potential avenues for vulnerabilities if exploited correctly.

The vulnerability history reveals a single medium-severity CVE in the past, which was related to Cross-Site Scripting. The fact that this is not currently unpatched is positive, but the historical presence of such vulnerabilities suggests a need for continued vigilance in code review, especially concerning input sanitization. The limited number of known CVEs is a positive indicator, but the presence of unsanitized taint flows warrants attention.

In conclusion, the sender plugin has strong defenses in place regarding prepared statements and output escaping. The main area of concern lies in the identified unsanitized taint flows, which, despite not currently being flagged as critical, require investigation and remediation. The historical CVE also points to the importance of robust input validation. Overall, while the plugin is not inherently insecure, these specific findings represent potential risks that should be addressed.

Key Concerns

Taint flows with unsanitized paths (High severity x3)
3 flows with unsanitized paths
1 medium CVE history (Improper Neutralization of Input During Web Page Generatio

Vulnerabilities

Sender by BestWebSoft Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2017-18564medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sender by BestWebSoft <= 1.2.0 - Reflected Cross-Site Scripting

Aug 20, 2019 Patched in 1.2.1 (1617d)

Code Analysis

Analyzed Mar 16, 2026

Sender by BestWebSoft Code Analysis

Dangerous Functions

Raw SQL Queries

49 prepared

Unescaped Output

570 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

59% prepared83 total queries

Output Escaping

96% escaped594 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

12 flows3 with unsanitized paths

bws_add_menu_render (bws_menu\bws_menu.php:12)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Sender by BestWebSoft Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1453

authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433

WordPress Hooks 27

filterload_textdomain_mofilebws_menu\bws_functions.php:37

filtermce_external_pluginsbws_menu\bws_functions.php:1098

filtermce_buttonsbws_menu\bws_functions.php:1099

actionadmin_initbws_menu\bws_functions.php:1374

actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1375

actionadmin_headbws_menu\bws_functions.php:1376

actionadmin_footerbws_menu\bws_functions.php:1377

actionadmin_noticesbws_menu\bws_functions.php:1379

actionwp_enqueue_scriptsbws_menu\bws_functions.php:1381

filtercron_schedulesincludes\class-sndr-settings.php:94

filtercron_schedulessender.php:980

actionnetwork_admin_menusender.php:2323

actionadmin_menusender.php:2325

actionplugins_loadedsender.php:2328

filterplugin_action_linkssender.php:2330

filterplugin_row_metasender.php:2331

actionprofile_personal_optionssender.php:2333

actionuser_registersender.php:2334

actioninitsender.php:2336

actionadmin_initsender.php:2337

actionadmin_enqueue_scriptssender.php:2338

actionprofile_updatesender.php:2339

filtercron_schedulessender.php:2340

actionsndr_mail_hooksender.php:2341

filterset-screen-optionsender.php:2342

actionadmin_noticessender.php:2344

actionnetwork_admin_noticessender.php:2345

Scheduled Events 1

sndr_mail_hook

Maintenance & Trust

Sender by BestWebSoft Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 5, 2025

PHP min version

Downloads28K

Community Trust

Rating82/100

Number of ratings9

Active installs90

Alternatives

Sender by BestWebSoft Alternatives

Change Mail Sender

cb-change-mail-sender

Easily change the default WordPress from email name and from email address.

20K No CVEs

Elastic Email Sender

elastic-email-sender

Reconfigures wp_mail() to send email using Elastic Email API instead of SMTP.

10K 2 CVEs

WP Change Email Sender

wp-change-email-sender

100

Easily change WordPress default mail sender name and email address

10K 1 CVE

Change Default Email Sender Name

change-default-email-sender-name

Change Default Email Sender Name is a simple plugin that allows you to change the sender name and Email in your WordPress Website's outgoing emai …

100 No CVEs

Custom Email Sender

custom-email-sender

100

Change the default email address and sender name output for all message sent from your WP dashboard.

100 No CVEs

Developer Profile

Sender by BestWebSoft Developer Profile

bestweblayout

32 plugins · 17K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1944 days

View full developer profile

Detection Fingerprints

How We Detect Sender by BestWebSoft

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ