Does SendWP have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is SendWP compatible with WordPress 6.6.5?

According to WordPress.org data, SendWP 1.4.9 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is SendWP compatible with PHP 5.6+?

SendWP requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SendWP updated?

SendWP was last updated on Sep 8, 2024. Frequent updates are generally a positive security signal.

What is SendWP's security score?

SendWP has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SendWP Security & Risk Analysis

wordpress.org/plugins/sendwp

Say hello to the easy solution to transactional email in WordPress.

10K active installs v1.4.9 PHP 5.6+ WP 5.1+ Updated Sep 8, 2024

emailformstransactional

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is SendWP Safe to Use in 2026?

Generally Safe

Score 92/100

SendWP has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The SendWP plugin v1.4.9 exhibits a mixed security posture. On the positive side, it demonstrates good practices in database interaction by exclusively using prepared statements for its SQL queries and shows no recorded vulnerability history, suggesting a generally well-maintained codebase. However, the static analysis reveals a significant concern: one unprotected AJAX handler. This represents a direct entry point into the plugin's functionality that an attacker could potentially exploit without requiring any authentication, posing a notable risk. While the absence of critical taint flows and dangerous functions is encouraging, the single unprotected entry point is a glaring weakness that needs immediate attention. The plugin also has a low percentage of properly escaped output, which could lead to cross-site scripting (XSS) vulnerabilities if sensitive data is displayed without proper sanitization. In conclusion, while SendWP has strengths in its data handling and lack of past vulnerabilities, the presence of an unprotected AJAX endpoint and insufficient output escaping significantly lowers its overall security score and requires mitigation.

Key Concerns

Unprotected AJAX handler found
Low percentage of properly escaped output

Vulnerabilities

None known

SendWP Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

SendWP Release Timeline

v1.4.8

v1.4.6

v1.4.5

v1.4.4

v1.3.1

v1.3

v1.2.10

v1.2.9

v1.2.8

v1.2.7

v1.2.6

v1.2.5

v1.2.4

v1.2.3

v1.1

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

Code Analysis

Analyzed Mar 16, 2026

SendWP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

9% escaped22 total outputs

Attack Surface

1 unprotected

SendWP Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_sendwp_forwardingincludes\hooks.php:13

WordPress Hooks 11

actionadmin_menuincludes\admin\load.php:3

actionadmin_post_sendwp_reset_plugin_dataincludes\functions.php:243

actionphpmailer_initincludes\hooks.php:4

filterhttps_local_ssl_verifyincludes\hooks.php:8

filterhttps_ssl_verifyincludes\hooks.php:9

actionadmin_noticesincludes\hooks.php:12

actioninitincludes\hooks.php:16

actionsendwp_heartbeatincludes\hooks.php:17

actioninitincludes\hooks.php:19

actioninitincludes\hooks.php:20

actionadmin_noticessendwp.php:12

Scheduled Events 1

sendwp_heartbeat

Maintenance & Trust

SendWP Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedSep 8, 2024

PHP min version5.6

Downloads352K

Community Trust

Rating82/100

Number of ratings14

Active installs10K

Alternatives

SendWP Alternatives

Ninja Mail

ninja-mail

Ninja Mail is being sunset and no longer functions as of April 1, 2021.

300 No CVEs

Newsletter – Send awesome emails from WordPress

newsletter

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K 20 CVEs

Brevo – Email, SMS, Web Push, Chat, and more.

mailin

Turn your WordPress site into a marketing powerhouse. Grow your audience, boost engagement, and drive more sales with Brevo.

100K 9 CVEs

Gravity PDF

gravity-forms-pdf-extended

100

Automatically generate, email and download PDF documents from Gravity Forms entries

20K 1 CVE

E2Pdf – Export Pdf Tool for WordPress

e2pdf

PDF Builder for CF7, Divi, Elementor Forms, Everest, Fluent, Formidable, Forminator, Gravity, JFB, Ninja, WPForms, WooCommerce, Post Meta, ACF, etc.

10K 11 CVEs

Developer Profile

SendWP Developer Profile

Kevin Stover

5 plugins · 610K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

1015 days

View full developer profile

Detection Fingerprints

How We Detect SendWP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sendwp/assets/css/admin/settings.css/wp-content/plugins/sendwp/assets/js/admin/settings.js/wp-content/plugins/sendwp/assets/css/admin/notices.css

Script Paths

/wp-content/plugins/sendwp/assets/js/admin/settings.js

Version Parameters

sendwp/style.css?ver=sendwp/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

sendwp-settings-pagesendwp-disabled-notice

Data Attributes

data-sendwp-nonce

JS Globals

sendwpAdminsendwp_varssendwp_settings

REST Endpoints

/wp-json/sendwp/v1/connect/wp-json/sendwp/v1/disconnect/wp-json/sendwp/v1/status

FAQ