SendPulse Email Marketing Newsletter Security & Risk Analysis

The "sendpulse-email-marketing-newsletter" plugin version 2.2.2 exhibits a mixed security posture. While the code demonstrates good practices such as 100% prepared statements for SQL queries and a high percentage of properly escaped output, there are notable areas of concern. The presence of two unprotected AJAX handlers significantly increases the attack surface, as these can be exploited by unauthenticated users. The plugin's vulnerability history, with three known medium-severity CVEs including Cross-Site Scripting and Information Exposure, is a significant red flag, even though none are currently unpatched. The recent nature of the last vulnerability (2025-12-05) suggests ongoing security challenges or recent discoveries.

Despite the positive aspects of its coding standards, the unprotected entry points and past vulnerabilities present a tangible risk. The unprotected AJAX handlers are the most immediate concern, potentially allowing unauthorized actions or data leakage. The historical prevalence of medium-severity vulnerabilities suggests a pattern that, if not addressed proactively, could lead to more severe issues in the future. Overall, while the plugin has strengths in its data handling and output escaping, the lack of authentication on critical entry points and its vulnerability history necessitate careful consideration and prompt patching of any new discovered vulnerabilities.