WP-Safety

ShopMagic – email automation Security & Risk Analysis

wordpress.org/plugins/shopmagic-for-woocommerce

Flexible email automation and workflows triggered by customer and site events.

10K active installs v4.8.1 PHP 7.4+ WP 6.4+ Updated Mar 7, 2026
customize-woocommerce-emailsfollow-up-emailswoocommerce-abandoned-cartwoocommerce-email-customizerwoocommerce-mailchimp
96
A · Safe
CVEs total2
Unpatched0
Last CVEJan 7, 2026
Plugin page Download
Safety Verdict

Is ShopMagic – email automation Safe to Use in 2026?

Generally Safe

Score 96/100

ShopMagic – email automation has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 7, 2026Updated 27d ago
Risk Assessment

The shopmagic-for-woocommerce plugin, version 4.8.1, presents a mixed security posture. While it shows strengths in its use of prepared statements for SQL queries and a significant number of output escaping instances, several areas raise concerns. The presence of four unprotected AJAX handlers constitutes a substantial attack surface, making it easier for unauthenticated users to trigger potentially sensitive actions. The use of dangerous functions like unserialize, proc_open, and shell_exec, though not explicitly shown to be exploitable in the provided taint analysis, warrants caution as they can be misused if proper input validation and sanitization are absent.

The plugin's vulnerability history, while currently showing no unpatched CVEs, indicates a pattern of past issues including High and Medium severity vulnerabilities related to Missing Authorization and Insertion of Sensitive Information Into Sent Data. This suggests a need for ongoing vigilance and robust security testing. The last reported vulnerability in 2026 is likely a placeholder or data entry error given the current date, but it implies a history of security flaws that could resurface or be discovered in new forms.

Overall, the plugin has some good security practices in place, particularly concerning SQL query handling. However, the unprotected AJAX endpoints, the presence of dangerous functions, and the past vulnerability history necessitate careful monitoring and prompt updates to mitigate potential risks. The current lack of unpatched vulnerabilities is a positive sign, but the underlying attack surface and historical patterns should not be ignored.

Key Concerns

  • Unprotected AJAX handlers
  • Presence of dangerous functions
  • Past High severity vulnerability
  • Past Medium severity vulnerability
  • Bundled outdated Guzzle library
Vulnerabilities
2

ShopMagic – email automation Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-69093medium · 5.3Missing Authorization

ShopMagic <= 4.7.2 - Missing Authorization

Jan 7, 2026 Patched in 4.7.3 (8d)
CVE-2025-59578high · 7.5Insertion of Sensitive Information Into Sent Data

Free Follow-Up Emails & Marketing Automation for WooCommerce – ShopMagic <= 4.5.6 - Unauthenticated Information Exposure

Oct 15, 2025 Patched in 4.5.7 (9d)
Code Analysis
Analyzed Mar 16, 2026

ShopMagic – email automation Code Analysis

Dangerous Functions
28
Raw SQL Queries
8
74 prepared
Unescaped Output
110
236 escaped
Nonce Checks
8
Capability Checks
7
File Operations
58
External Requests
9
Bundled Libraries
1

Dangerous Functions Found

assertassert($bin !== \false);vendor_prefixed\brick\math\src\BigInteger.php:916
assertassert($denominator !== null);vendor_prefixed\brick\math\src\BigNumber.php:65
assertassert($q !== null);vendor_prefixed\brick\math\src\Internal\Calculator\BcMathCalculator.php:71
assertassert($r !== null);vendor_prefixed\brick\math\src\Internal\Calculator\BcMathCalculator.php:72
assertassert(is_int($q));vendor_prefixed\brick\math\src\Internal\Calculator\NativeCalculator.php:155
assertassert($carry === 0);vendor_prefixed\brick\math\src\Internal\Calculator\NativeCalculator.php:341
unserialize$serializable = unserialize($signature['serializable']);vendor_prefixed\laravel\serializable-closure\src\Serializers\Signed.php:76
proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59
unserialize$data = unserialize($serialized, ['allowed_classes' => \false]);vendor_prefixed\ramsey\collection\src\AbstractArray.php:153
unserialize$data = unserialize($serialized, ['allowed_classes' => [$this->getType()]]);vendor_prefixed\ramsey\collection\src\AbstractCollection.php:223
unserialize$data = unserialize($serialized, ['allowed_classes' => [BrickMathCalculator::class, GenericNumberConvendor_prefixed\ramsey\uuid\src\Builder\BuilderCollection.php:56
assertassert($instance instanceof UuidV6);vendor_prefixed\ramsey\uuid\src\Lazy\LazyUuidFromString.php:417
assertassert($instance instanceof UuidV6);vendor_prefixed\ramsey\uuid\src\Lazy\LazyUuidFromString.php:423
shell_execreturn trim((string) shell_exec('id -u'));vendor_prefixed\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:88
shell_execreturn trim((string) shell_exec('id -g'));vendor_prefixed\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:106
shell_exec$response = shell_exec('whoami /user /fo csv /nh');vendor_prefixed\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:142
shell_exec$response = shell_exec('net user %username% | findstr /b /i "Local Group Memberships"');vendor_prefixed\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:165
shell_exec$response = shell_exec('wmic group get name,sid | findstr /b /i ' . escapeshellarg($firstGroup));vendor_prefixed\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:175
unserialize$data = unserialize($serialized, ['allowed_classes' => [Hexadecimal::class, RandomNodeProvider::clasvendor_prefixed\ramsey\uuid\src\Provider\Node\NodeProviderCollection.php:41
passthrupassthru('ipconfig /all 2>&1');vendor_prefixed\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:90
passthrupassthru('ifconfig 2>&1');vendor_prefixed\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:93
passthrupassthru('netstat -i -f link 2>&1');vendor_prefixed\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:96
passthrupassthru('netstat -ie 2>&1');vendor_prefixed\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:100
assertassert($uuid !== '');vendor_prefixed\ramsey\uuid\src\Uuid.php:403
unserializereturn unserialize($value);vendor_prefixed\wpdesk\wp-forms\src\Serializer\SerializeSerializer.php:15
unserializereturn unserialize($this->container->get($id));vendor_prefixed\wpdesk\wp-persistence\src\Decorator\SerializedPersistentContainer.php:24

Bundled Libraries

Guzzle1.1

SQL Query Safety

90% prepared82 total queries

Output Escaping

68% escaped346 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
processAjaxNoticeDismiss (vendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:72)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

ShopMagic – email automation Attack Surface

Entry Points5
Unprotected4

AJAX Handlers 5

authwp_ajax_shopmagic_close_temporarysrc\Admin\RateNotice\TwoWeeksNotice.php:95
authwp_ajax_shopmagic_notice_dismisssrc\Admin\Welcome\Popups.php:93
noprivwp_ajax_capture_email_urlsrc\Frontend\Interceptor\PreSubmitData.php:74
noprivwp_ajax_capture_checkout_field_urlsrc\Frontend\Interceptor\PreSubmitData.php:78
authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42
WordPress Hooks 107
actionadmin_initsrc\Admin\Admin.php:42
actionadmin_menusrc\Admin\Admin.php:44
actionadmin_enqueue_scriptssrc\Admin\Admin.php:46
filterscript_loader_tagsrc\Admin\Admin.php:53
filterscript_loader_srcsrc\Admin\Admin.php:62
actionadmin_noticessrc\Admin\RateNotice\RateNotices.php:24
actionadmin_enqueue_scriptssrc\Admin\RateNotice\TwoWeeksNotice.php:89
actionadmin_noticessrc\Admin\Welcome\Popups.php:13
actionadmin_noticessrc\Admin\Welcome\Popups.php:38
actionadmin_headsrc\Admin\Welcome\Popups.php:109
filterwp_mail_fromsrc\Components\Mailer\WPMailMailer.php:10
filterwp_mail_from_namesrc\Components\Mailer\WPMailMailer.php:16
actionwp_mail_failedsrc\Components\Mailer\WPMailMailer.php:22
filterrest_pre_dispatchsrc\Components\Routing\RestRoutesRegistry.php:67
filterrest_pre_serve_requestsrc\Components\Routing\RestRoutesRegistry.php:68
actioninitsrc\Components\Routing\WpRoutesRegistry.php:34
filterquery_varssrc\Components\Routing\WpRoutesRegistry.php:41
actiontemplate_redirectsrc\Components\Routing\WpRoutesRegistry.php:48
actionwoocommerce_new_ordersrc\Customer\Guest\Interceptor\GuestOrderIntegration.php:25
actionwoocommerce_api_create_ordersrc\Customer\Guest\Interceptor\GuestOrderIntegration.php:30
actionwoocommerce_before_order_object_savesrc\Customer\Guest\Interceptor\GuestOrderUpdate.php:31
actioncomment_postsrc\Customer\Guest\Interceptor\GuestProductIntegration.php:19
actionwoocommerce_before_order_object_savesrc\Customer\Guest\Interceptor\OnCustomerEmailChange.php:37
actionuser_registersrc\Customer\HookProvider\MergeGuestUserOnRegistration.php:30
actionwpsrc\Frontend\Interceptor\CurrentCustomer.php:235
actionshutdownsrc\Frontend\Interceptor\CurrentCustomer.php:242
actionset_logged_in_cookiesrc\Frontend\Interceptor\CurrentCustomer.php:249
actioncomment_postsrc\Frontend\Interceptor\CurrentCustomer.php:255
actionwoocommerce_new_ordersrc\Frontend\Interceptor\CurrentCustomer.php:261
actionwoocommerce_api_create_ordersrc\Frontend\Interceptor\CurrentCustomer.php:269
actionwpsrc\Frontend\Interceptor\CustomerSessionTracker.php:47
actionshutdownsrc\Frontend\Interceptor\CustomerSessionTracker.php:48
actionset_logged_in_cookiesrc\Frontend\Interceptor\CustomerSessionTracker.php:49
actioncomment_postsrc\Frontend\Interceptor\CustomerSessionTracker.php:52
actionwoocommerce_new_ordersrc\Frontend\Interceptor\CustomerSessionTracker.php:53
actionwoocommerce_api_create_ordersrc\Frontend\Interceptor\CustomerSessionTracker.php:54
actionwp_enqueue_scriptssrc\Frontend\Interceptor\PreSubmitData.php:52
filtercron_schedulessrc\HookEmitter\CronHeartbeat.php:85
actionadmin_initsrc\HookEmitter\CronHeartbeat.php:102
actionshopmagic/core/cron/weeklysrc\HookEmitter\RecurringCleaner.php:35
filteroption_postmark_settingssrc\Integration\Postmark.php:71
actionwoocommerce_checkout_after_terms_and_conditionssrc\Marketing\HookProviders\ListsOnCheckout.php:41
filtershopmagic/core/action/send_mail/sendingsrc\Marketing\HookProviders\RecordEmailSending.php:39
actionwoocommerce_checkout_order_processedsrc\Marketing\HookProviders\SignUpCustomerOnSubmit.php:34
actionwoocommerce_checkout_order_processedsrc\Marketing\HookProviders\SignUpCustomerOnSubmit.php:40
actionuser_registersrc\Marketing\HookProviders\SignUpCustomerOnSubmit.php:46
filterwoocommerce_account_menu_itemssrc\Marketing\HookProviders\WooCommerceAccountPreferences.php:37
actioninitsrc\Marketing\Subscribers\AudienceList\CommunicationListPostType.php:21
actionwp_enqueue_scriptssrc\Marketing\Subscribers\SubscriptionFormShortcode.php:56
actionwpsrc\Modules\Mulitilingual\Customer\CustomerLanguagePersistence.php:44
actionshopmagic/core/action/before_executionsrc\Modules\Mulitilingual\Integration\WCML\UpdateEmailLanguage.php:14
actionplugins_loadedsrc\Plugin.php:225
actionaction_scheduler_initsrc\Plugin.php:241
actionrest_api_initsrc\Plugin.php:249
actioninitsrc\Plugin.php:261
actionflexible_checkout_fields/initsrc\Plugin.php:323
filterwpdesk_track_plugin_deactivationsrc\Tracker\DeactivationTracker.php:25
filterwpdesk_tracker_notice_screenssrc\Tracker\TrackerNotices.php:15
filterwpdesk_tracker_notice_contentsrc\Tracker\TrackerNotices.php:16
filterwpdesk_tracker_enabledsrc\Tracker\UsageDataTracker.php:44
filterwoocommerce_email_footer_textsrc\Workflow\Action\Builtin\SendMail\WooCommerceMailTemplate.php:87
actionwp_loadedsrc\Workflow\ActionExecution\QueueActionRunner.php:115
actioninitsrc\Workflow\Automation\AutomationPostType.php:24
actioncomment_postsrc\Workflow\Event\Builtin\Comment\CommentAdded.php:15
actionuser_registersrc\Workflow\Event\Builtin\Customer\CustomerAccountCreated.php:28
actionshopmagic/core/event/manual/optinsrc\Workflow\Event\Builtin\Customer\CustomerOptedIn.php:23
actionshopmagic/core/event/manual/optoutsrc\Workflow\Event\Builtin\Customer\CustomerOptedOut.php:23
actioncomment_postsrc\Workflow\Event\Builtin\NewComment.php:9
actionwoocommerce_order_status_cancelledsrc\Workflow\Event\Builtin\Order\OrderCancelled.php:24
actionwoocommerce_order_status_completedsrc\Workflow\Event\Builtin\Order\OrderCompleted.php:24
actionwoocommerce_order_status_failedsrc\Workflow\Event\Builtin\Order\OrderFailed.php:23
actionwoocommerce_new_ordersrc\Workflow\Event\Builtin\Order\OrderNew.php:35
actionwoocommerce_api_create_ordersrc\Workflow\Event\Builtin\Order\OrderNew.php:41
filterwoocommerce_new_order_note_datasrc\Workflow\Event\Builtin\Order\OrderNoteAdded.php:49
actionwp_insert_commentsrc\Workflow\Event\Builtin\Order\OrderNoteAdded.php:57
actionwoocommerce_order_status_on-holdsrc\Workflow\Event\Builtin\Order\OrderOnHold.php:23
actionwoocommerce_order_status_changedsrc\Workflow\Event\Builtin\Order\OrderPaid.php:29
actionwp_loadedsrc\Workflow\Event\Builtin\Order\OrderPending.php:59
actionwoocommerce_order_status_pendingsrc\Workflow\Event\Builtin\Order\OrderPending.php:76
actionwoocommerce_new_ordersrc\Workflow\Event\Builtin\Order\OrderPending.php:94
actionwoocommerce_order_status_processingsrc\Workflow\Event\Builtin\Order\OrderProcessing.php:23
actionwoocommerce_order_status_refundedsrc\Workflow\Event\Builtin\Order\OrderRefunded.php:23
actionwoocommerce_order_status_changedsrc\Workflow\Event\Builtin\Order\OrderStatusChanged.php:64
actionwp_trash_postsrc\Workflow\Event\Builtin\Post\PostDeleted.php:25
actionbefore_delete_postsrc\Workflow\Event\Builtin\Post\PostDeleted.php:31
actiontransition_post_statussrc\Workflow\Event\Builtin\Post\PostPublished.php:29
actionpost_updatedsrc\Workflow\Event\Builtin\Post\PostUpdated.php:18
actionwoocommerce_update_productsrc\Workflow\Event\Builtin\Product\ProductEdit.php:24
actiontransition_post_statussrc\Workflow\Event\Builtin\Product\ProductPublished.php:24
actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41
actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144
actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145
filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45
filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81
actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88
actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102
filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28
actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28
filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36
Maintenance & Trust

ShopMagic – email automation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version7.4
Downloads736K

Community Trust

Rating94/100
Number of ratings76
Active installs10K
Alternatives

ShopMagic – email automation Alternatives

EmailKit – Email Customizer for WooCommerce & WP

EmailKit – Email Customizer for WooCommerce & WP

emailkit

A
96

EmailKit is a powerful WordPress and WooCommerce email customizer tool, free for everyone! It allows users to customize and design templates that show &hellip;

70K 3 CVEs
YayMail – WooCommerce Email Customizer

YayMail – WooCommerce Email Customizer

yaymail

A
91

Customize WooCommerce email templates with an advanced drag-and-drop email builder. Works great with 80+ WooCommerce Email Customizer Addons.

50K 4 CVEs
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

wp-marketing-automations

B
82

Recover lost revenue with Cart Abandonment Recovery for WooCommerce. Increase retention with Post Purchase Follow-Up Emails.

20K 11 CVEs
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

email-customizer-for-woocommerce

A
98

WooCommerce Email Customizer plugin lets you customize transactional emails using a template builder, adding text, images & more to match your brand

10K 2 CVEs
Abandoned Cart Recovery for WooCommerce

Abandoned Cart Recovery for WooCommerce

woo-abandoned-cart-recovery

A
100

A simple, effective solution to capture abandoned carts and auto-send reminders. Track logs and generate reports on carts, emails, and more

4K 1 CVE
Developer Profile

ShopMagic – email automation Developer Profile

wpdesk

23 plugins · 127K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
135 days
View full developer profile
Detection Fingerprints

How We Detect ShopMagic – email automation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shopmagic-for-woocommerce/src/main.ts
Script Paths
/wp-content/plugins/shopmagic-for-woocommerce/src/main.ts
Version Parameters
shopmagic-for-woocommerce/src/main.ts?ver=shopmagic-for-woocommerce/style.css?ver=

HTML / DOM Fingerprints

CSS Classes
shopmagic-spa
HTML Comments
<!-- This is a comment from ShopMagic -->
Data Attributes
data-shopmagic-input
JS Globals
ShopMagic
REST Endpoints
/wp-json/shopmagic-for-woocommerce/v1/settings
Shortcode Output
[shopmagic_order_details]
FAQ

Frequently Asked Questions about ShopMagic – email automation