WP-Safety

SendPress Newsletters Security & Risk Analysis

wordpress.org/plugins/sendpress

A Newsletter Plugin for WordPress to create, send, manage and track your Newsletters in one place.

2K active installs v1.26.1.20 PHP + WP 4.4+ Updated Feb 7, 2026
manager-newsletternewsletternewsletter-signupnewsletter-widgetnewsletters
46
D · High Risk
CVEs total8
Unpatched3
Last CVENov 7, 2023
Plugin page Download
Safety Verdict

Is SendPress Newsletters Safe to Use in 2026?

High Risk

Score 46/100

SendPress Newsletters carries significant security risk with 8 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

8 known CVEs 3 unpatched Last CVE: Nov 7, 2023Updated 1mo ago
Risk Assessment

The SendPress plugin version 1.26.1.20 exhibits a concerning security posture due to a significant number of unprotected AJAX handlers and a history of numerous vulnerabilities, including high and medium severity issues. While the plugin utilizes prepared statements for a majority of its SQL queries and has a substantial number of output escaping operations, the sheer volume of entry points lacking authentication checks presents a substantial attack surface. The presence of the `unserialize` function, even without apparent taint flow issues in this static analysis, warrants caution as it can be a vector for deserialization vulnerabilities if not handled with extreme care. The vulnerability history reveals recurring patterns of Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Missing Authorization, and SQL Injection, indicating a persistent struggle with secure coding practices. The fact that three CVEs remain unpatched is a critical red flag. While the plugin shows some good practices like prepared statements and a large number of output escapes, the unprotected AJAX handlers and the unpatched vulnerabilities significantly outweigh these strengths, leading to a high-risk assessment.

Key Concerns

  • 12 unprotected AJAX handlers
  • 3 unpatched CVEs (1 high, 2 medium)
  • Dangerous function: unserialize
  • Only 45% of outputs properly escaped
  • Missing nonce checks on 12 AJAX handlers
  • 84% SQL prepared statements (16% raw)
  • Vulnerability history: 8 total CVEs
Vulnerabilities
8

SendPress Newsletters Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
1 CVE in 2020
2020
5 CVEs in 2023 · unpatched
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
7

8 total CVEs

CVE-2023-47517medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SendPress Newsletters <= 1.23.11.6 - Reflected Cross-Site Scripting

Nov 7, 2023 Patched in 1.24.8.19 (829d)
CVE-2023-5660medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SendPress Newsletters <= 1.22.3.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Nov 6, 2023 Patched in 1.23.11.6 (78d)
CVE-2023-41729medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SendPress Newsletters <= 1.23.11.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 5, 2023Unpatched
CVE-2023-41730medium · 4.3Cross-Site Request Forgery (CSRF)

SendPress Newsletters <= 1.23.11.6 - Cross-Site Request Forgery

Sep 5, 2023Unpatched
CVE-2023-35040medium · 5.3Missing Authorization

SendPress Newsletters <= 1.23.11.6 - Missing Authorization

Aug 11, 2023Unpatched
WF-e8d042be-e272-4e2d-93ec-83a0a42ecd51-sendpressmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SendPress Newsletters < 1.20.7.13 - Authenticated Stored Cross-Site Scripting

Jul 13, 2020 Patched in 1.20.7.13 (1289d)
WF-5570b8ef-6fb9-4f9e-be39-d8c615d1abab-sendpressmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SendPress Newsletters < 1.2 - Cross-Site Scripting

Jul 23, 2015 Patched in 1.2 (3106d)
CVE-2015-9448high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SendPress Newsletters < 1.2 - Authenticated SQL Injection

Jul 23, 2015 Patched in 1.2 (3106d)
Code Analysis
Analyzed Mar 16, 2026

SendPress Newsletters Code Analysis

Dangerous Functions
3
Raw SQL Queries
51
260 prepared
Unescaped Output
703
583 escaped
Nonce Checks
6
Capability Checks
10
File Operations
19
External Requests
15
Bundled Libraries
2

Dangerous Functions Found

unserializereturn unserialize($options[$sender."_temp"]);classes\class-sendpress-option.php:235
unserialize$d = unserialize( self::_decrypt( $options[$sender] , SENDPRESS_SENDER_KEY));classes\class-sendpress-option.php:237
unserializereturn unserialize( self::_decrypt( $options[$sender] , SENDPRESS_SENDER_KEY));classes\class-sendpress-option.php:241

Bundled Libraries

PHPMailerTinyMCE

SQL Query Safety

84% prepared311 total queries

Output Escaping

45% escaped1286 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
html (classes\public-views\class-sendpress-public-view-post.php:15)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

SendPress Newsletters Attack Surface

Entry Points19
Unprotected12

AJAX Handlers 14

authwp_ajax_sendpress_save_listclasses\class-sendpress-ajax-loader.php:30
authwp_ajax_sendpress_subscribe_to_listclasses\class-sendpress-ajax-loader.php:31
authwp_ajax_sendpress-autocronclasses\class-sendpress-ajax-loader.php:32
authwp_ajax_sendpress-sendbatchclasses\class-sendpress-ajax-loader.php:33
authwp_ajax_sendpress-queuebatchclasses\class-sendpress-ajax-loader.php:34
authwp_ajax_sendpress-stopcronclasses\class-sendpress-ajax-loader.php:35
authwp_ajax_sendpress-sendcountclasses\class-sendpress-ajax-loader.php:36
authwp_ajax_sendpress-queuecountclasses\class-sendpress-ajax-loader.php:37
authwp_ajax_sendpress-findpostclasses\class-sendpress-ajax-loader.php:39
authwp_ajax_sendpress-list-subscriptionclasses\class-sendpress-ajax-loader.php:40
authwp_ajax_sendpress-synclistclasses\class-sendpress-ajax-loader.php:41
authwp_ajax_sendpress-sendcronclasses\class-sendpress-ajax-loader.php:42
noprivwp_ajax_sendpress_subscribe_to_listclasses\class-sendpress-ajax-loader.php:45
noprivwp_ajax_sendpress-list-subscriptionclasses\class-sendpress-ajax-loader.php:46

Shortcodes 5

[sendpress-signup] classes\class-sendpress-shortcode-loader.php:35
[sendpress-manage] classes\class-sendpress-shortcode-manage.php:13
[sendpress-posts] classes\class-sendpress-shortcodes.php:13
[sendpress-signup] classes\class-sendpress-signup-shortcode-old.php:12
[sendpress-unsubscribe] classes\class-sendpress-unsubscribe-shortcode.php:35
WordPress Hooks 101
actionsendpress_admin_scriptsclasses\class-sendpress-ajax-loader.php:38
filterexcerpt_moreclasses\class-sendpress-ajax-loader.php:100
actionrest_api_initclasses\class-sendpress-api-loader.php:20
actioninitclasses\class-sendpress-api.php:77
actiontemplate_redirectclasses\class-sendpress-api.php:78
filterquery_varsclasses\class-sendpress-api.php:79
actionspnl_process_api_keyclasses\class-sendpress-api.php:80
actioninitclasses\class-sendpress-logging.php:26
actioninitclasses\class-sendpress-logging.php:29
actionspnl_logging_prune_routineclasses\class-sendpress-logging.php:32
actionsendpress_notification_dailyclasses\class-sendpress-notifications-manager.php:234
filterplugins_apiclasses\class-sendpress-pro-manager.php:34
filterhttp_request_argsclasses\class-sendpress-pro-manager.php:35
actionadmin_headclasses\class-sendpress-pro-manager.php:40
filterpre_set_site_transient_update_pluginsclasses\class-sendpress-pro-updater.php:48
filterplugins_apiclasses\class-sendpress-pro-updater.php:49
filterhttp_request_argsclasses\class-sendpress-pro-updater.php:50
filterset-screen-optionclasses\class-sendpress-screen-options.php:14
filtersendpress_sending_method_gmailclasses\class-sendpress-sender.php:30
filtersendpress_sending_method_sendpressclasses\class-sendpress-sender.php:31
filterthe_contentclasses\class-sendpress-template-tags.php:491
actioninitclasses\class-sendpress-template-tags.php:554
actionspnl_add_template_tagsclasses\class-sendpress-template-tags.php:750
filterthe_contentclasses\class-sendpress-template.php:376
filtertiny_mce_versionclasses\class-sendpress-tinymce.php:13
filtermce_external_pluginsclasses\class-sendpress-tinymce.php:25
filtermce_buttonsclasses\class-sendpress-tinymce.php:26
actionadmin_enqueue_scriptsclasses\class-sendpress-tour.php:20
actionadmin_enqueue_scriptsclasses\class-sendpress-tracking.php:16
actionadmin_print_footer_scriptsclasses\class-sendpress-tracking.php:165
filtersp_tracking_filtersclasses\class-sendpress-tracking.php:313
filterembed_oembed_htmlclasses\class-sendpress-videos.php:26
filteroembed_dataparseclasses\class-sendpress-videos.php:27
filterdo_rocket_lazyloadclasses\public-views\class-sendpress-public-view-email.php:18
actiongenesis_site_layoutclasses\public-views\class-sendpress-public-view.php:228
actionsendpress_public_beforeclasses\public-views\class-sendpress-public-view.php:229
actionsendpress_public_afterclasses\public-views\class-sendpress-public-view.php:230
actionsendpress_public_cssclasses\public-views\class-sendpress-public-view.php:231
actionsendpress_shortcode_examples_formsclasses\sc\class-sendpress-sc-forms.php:543
actionsendpress_shortcode_examples_signupclasses\sc\class-sendpress-sc-signup.php:171
filterbj_lazy_load_run_filterclasses\tag\class-sendpress-tag-content-area-one.php:20
filterbj_lazy_load_run_filterclasses\tag\class-sendpress-tag-footer-content.php:41
filterbj_lazy_load_run_filterclasses\tag\class-sendpress-tag-footer-page.php:34
filterthe_contentclasses\tag\class-sendpress-tag-footer-page.php:37
filterbj_lazy_load_run_filterclasses\tag\class-sendpress-tag-header-content.php:34
filterthe_contentclasses\tag\class-sendpress-tag-header-content.php:36
filterbj_lazy_load_run_filterclasses\tag\class-sendpress-tag-header-page.php:34
filtercontent_save_preclasses\views\class-sendpress-view-emails-edit.php:42
filtercontent_filtered_save_preclasses\views\class-sendpress-view-emails-edit.php:43
filterthe_contentclasses\views\class-sendpress-view-emails-edit.php:207
actionload-sendpress_page_sp-emailsclasses\views\class-sendpress-view-emails-temp.php:15
actionload-sendpress_page_sp-emailsclasses\views\class-sendpress-view-emails-tempedit.php:15
actionload-sendpress_page_sp-emailsclasses\views\class-sendpress-view-emails.php:15
actionsendpress_noticesclasses\views\class-sendpress-view-pro.php:18
actionsendpress_noticesclasses\views\class-sendpress-view-pro.php:25
actionload-sendpress_page_sp-queueclasses\views\class-sendpress-view-queue-all.php:19
actionload-sendpress_page_sp-queueclasses\views\class-sendpress-view-queue-errors.php:19
actionload-sendpress_page_sp-queueclasses\views\class-sendpress-view-queue-jobs.php:19
actionload-sendpress_page_sp-queueclasses\views\class-sendpress-view-queue-stuck.php:19
actionload-sendpress_page_sp-queueclasses\views\class-sendpress-view-queue.php:19
actionload-sendpress_page_sp-reportsclasses\views\class-sendpress-view-reports-tests.php:12
actionload-sendpress_page_sp-reportsclasses\views\class-sendpress-view-reports.php:12
actionload-sendpress_page_sp-subscribersclasses\views\class-sendpress-view-subscribers-all.php:11
actionload-sendpress_page_sp-subscribersclasses\views\class-sendpress-view-subscribers-subscribers.php:11
actionload-sendpress_page_sp-subscribersclasses\views\class-sendpress-view-subscribers.php:15
actionin_admin_footerclasses\views\class-sendpress-view.php:34
filterwp_die_ajax_handlerinc\functions.php:150
filterwp_die_handlerinc\functions.php:151
actioninitsendpress.php:140
actionwidgets_initsendpress.php:141
actionplugins_loadedsendpress.php:152
actionadmin_enqueue_scriptssendpress.php:153
actioninitsendpress.php:154
actionsendpress_template_loadedsendpress.php:365
actionadmin_initsendpress.php:372
actionadmin_menusendpress.php:373
actionadmin_noticessendpress.php:374
filterwidget_textsendpress.php:382
filtertemplate_includesendpress.php:385
actionsendpress_cron_actionsendpress.php:386
actionwp_enqueue_scriptssendpress.php:393
actionwp_enqueue_scriptssendpress.php:394
actionwp_loadedsendpress.php:397
filtercron_schedulessendpress.php:398
filterdo_rocket_lazyloadsendpress.php:646
filterdisable_captionssendpress.php:816
actionadmin_print_scriptssendpress.php:892
filtergettextsendpress.php:893
actionsendpress_noticessendpress.php:894
filteruser_has_capsendpress.php:895
actionadmin_print_stylessendpress.php:915
filtertiny_mce_before_initsendpress.php:920
filtermce_csssendpress.php:932
actionsendpress_admin_scriptssendpress.php:941
actionadmin_headsendpress.php:1189
actioninitsendpress.php:1901
filterquery_varssendpress.php:1902
actionadmin_initsendpress.php:1903
actionwpmu_new_blogsendpress.php:1906
actionactivate_blogsendpress.php:1907
filterthe_contenttemplates\simple.php:276

Scheduled Events 2

sendpress_notification_daily
sendpress_cron_action
Maintenance & Trust

SendPress Newsletters Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 7, 2026
PHP min version
Downloads527K

Community Trust

Rating90/100
Number of ratings60
Active installs2K
Alternatives

SendPress Newsletters Alternatives

WP Email Delivery

WP Email Delivery

wp-email-delivery

C
64

Simple, Easy to setup API based email delivery for WordPress. No SMTP needed!

100 1 unpatched
SendPress For WooCommerce

SendPress For WooCommerce

sendpress-for-woocommerce

A
85

Easy to use Email Newsletter Plugin for WordPress to create, send, manage and track your Newsletters.

10 No CVEs
Mailster WordPress Newsletter Plugin

Mailster WordPress Newsletter Plugin

mailster

B
79

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & &hellip;

9K 5 CVEs
Email Subscription Popup

Email Subscription Popup

email-subscribe

A
95

This plugin shows you a beautiful newsletter subscription popup when someone enter to your site. You can even use widget that allow email subscription &hellip;

1K 7 CVEs
MailMunch – Grow your Email List

MailMunch – Grow your Email List

mailmunch

A
98

The best free plugin to get more email subscribers. Beautiful opt-in forms that integrate with MailChimp, Constant Contact, AWeber, Campaign Monitor a &hellip;

6K 3 CVEs
Developer Profile

SendPress Newsletters Developer Profile

brewlabs

4 plugins · 2K total installs

58
trust score
Avg Security Score
70/100
Avg Patch Time
1682 days
View full developer profile
Detection Fingerprints

How We Detect SendPress Newsletters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sendpress/css/admin.css/wp-content/plugins/sendpress/css/jquery.tagsinput.css/wp-content/plugins/sendpress/css/jquery.timepicker.css/wp-content/plugins/sendpress/css/jquery.treeview.css/wp-content/plugins/sendpress/css/style.css/wp-content/plugins/sendpress/css/sp-frontend.css/wp-content/plugins/sendpress/js/admin.js/wp-content/plugins/sendpress/js/editor.js+8 more
Script Paths
/wp-content/plugins/sendpress/js/admin.js/wp-content/plugins/sendpress/js/editor.js/wp-content/plugins/sendpress/js/jquery.cookie.js/wp-content/plugins/sendpress/js/jquery.form.js/wp-content/plugins/sendpress/js/jquery.tagsinput.js/wp-content/plugins/sendpress/js/jquery.timepicker.js+4 more
Version Parameters
sendpress/style.css?ver=sendpress/admin.css?ver=sendpress/sp-frontend.css?ver=sendpress/editor.js?ver=sendpress/jquery.cookie.js?ver=sendpress/jquery.form.js?ver=sendpress/jquery.tagsinput.js?ver=sendpress/jquery.timepicker.js?ver=sendpress/jquery.treeview.js?ver=sendpress/jquery.watermark.js?ver=sendpress/sp-frontend.js?ver=sendpress/sp-validate.js?ver=

HTML / DOM Fingerprints

CSS Classes
sendpress-fieldsendpress-labelsendpress-inputsendpress-btnsp-containersp-editorsp-email-contentsp-template+2 more
HTML Comments
<!-- SP_START_FOOTER_SCRIPT --><!-- SP_END_FOOTER_SCRIPT --><!-- SendPress Newsletter --><!-- SendPress Form -->+1 more
Data Attributes
data-sp-placeholderdata-sp-editor-iddata-sp-form-id
JS Globals
sendpress_admin_paramssendpress_editor_paramssp_frontend_params
REST Endpoints
/wp-json/sendpress/v1/
Shortcode Output
[sendpress_form][sendpress_signup][sendpress_manage_subscriptions]
FAQ

Frequently Asked Questions about SendPress Newsletters