Does SmartEmailing have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is SmartEmailing compatible with WordPress 6.7.5?

According to WordPress.org data, SmartEmailing 2.2.6 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is SmartEmailing compatible with PHP 8.0.0+?

SmartEmailing requires PHP 8.0.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SmartEmailing updated?

SmartEmailing was last updated on Jan 22, 2025. Frequent updates are generally a positive security signal.

What is SmartEmailing's security score?

SmartEmailing has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SmartEmailing Security & Risk Analysis

wordpress.org/plugins/smartemailing

Snadný způsob jak propojit svůj web se svým účtem ve SmartEmailingu pro sběr e-mailových adres pomocí webového formuláře.

600 active installs v2.2.6 PHP 8.0.0+ WP 6.0.0+ Updated Jan 22, 2025

smartemailing

A · Safe

CVEs total1

Unpatched0

Last CVEJan 6, 2025

Download

Safety Verdict

Is SmartEmailing Safe to Use in 2026?

Generally Safe

Score 91/100

SmartEmailing has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jan 6, 2025Updated 1yr ago

Risk Assessment

The static analysis of the "smartemailing" plugin v2.2.6 reveals a generally good security posture with no identified critical or high severity vulnerabilities in the code itself. The absence of dangerous functions, raw SQL queries, and external HTTP requests is commendable. While the output escaping is at 84%, which is good, there's a slight concern that 16% of outputs are not properly escaped, potentially leaving room for reflected XSS vulnerabilities if user-controlled data is involved in these specific outputs. The lack of detected taint flows is a positive sign, indicating that the developers have likely implemented proper sanitization for data handling.

The vulnerability history shows one past medium severity CVE, which has since been patched. The common vulnerability type being Cross-site Scripting suggests that developers should maintain vigilance in output escaping. The fact that there are no currently unpatched vulnerabilities is a strong positive indicator. However, the absence of capability checks and nonce checks on entry points is a significant concern. While the attack surface is currently reported as zero, this could be a consequence of the specific analysis performed or a testament to the plugin's limited functionality. If any new entry points are introduced or existing ones are discovered, the lack of these fundamental security controls could lead to serious issues.

In conclusion, the plugin demonstrates strengths in preventing direct code execution and SQL injection. The past vulnerability was addressed, which is positive. However, the reliance on the absence of entry points for security, rather than implementing robust access controls like capability checks and nonce validation, represents a significant weakness. The potential for unescaped output, though not critical, also warrants attention. The plugin is currently in a relatively secure state based on this snapshot, but the lack of foundational access control mechanisms poses a latent risk should the attack surface expand or become more dynamic.

Key Concerns

No capability checks found
No nonce checks found
Unescaped output identified (16%)
Bundled outdated library (Guzzle)

Vulnerabilities

1 published

SmartEmailing Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-12261medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SmartEmailing.cz <= 2.2.0 - Reflected Cross-Site Scripting

Jan 6, 2025 Patched in 2.2.6 (18d)

Version History

SmartEmailing Release Timeline

v2.2.6Current

v2.2.01 CVE

v2.1.01 CVE

v2.0.41 CVE

v2.0.31 CVE

v2.0.11 CVE

v2.0.01 CVE

vassets1 CVE

vdeps1 CVE

vincludes1 CVE

vlanguages1 CVE

vsrc1 CVE

vvendor1 CVE

Code Analysis

Analyzed Mar 16, 2026

SmartEmailing Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

57 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

Output Escaping

84% escaped68 total outputs

Attack Surface

SmartEmailing Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 28

actioninitsmartemailing.php:83

actionadmin_noticessmartemailing.php:103

actionplugins_loadedsmartemailing.php:108

actionbefore_woocommerce_initsmartemailing.php:114

actionadmin_action_smartemailing_bulk_upload_customerssrc\Features\BulkUpload.php:28

actionsmartemailing_bulk_import_customerssrc\Features\BulkUpload.php:29

actionsmartemailing_bulk_import_customers_finishedsrc\Features\BulkUpload.php:30

actionadmin_noticessrc\Features\BulkUpload.php:31

actionadmin_action_smartemailing_bulk_upload_orderssrc\Features\BulkUpload.php:33

actionsmartemailing_bulk_import_orderssrc\Features\BulkUpload.php:34

actionsmartemailing_bulk_import_orders_finishedsrc\Features\BulkUpload.php:35

actionadmin_noticessrc\Features\BulkUpload.php:36

actionadmin_noticessrc\Features\BulkUpload.php:38

actionwp_headsrc\Features\FrontendTracking.php:20

actionwoocommerce_cart_item_removedsrc\Features\FrontendTracking.php:21

filterwoocommerce_update_cart_action_cart_updatedsrc\Features\FrontendTracking.php:22

actionwoocommerce_add_to_cartsrc\Features\FrontendTracking.php:23

actionwoocommerce_thankyousrc\Features\FrontendTracking.php:24

actionwoocommerce_checkout_after_terms_and_conditionssrc\Features\Order.php:24

actionwoocommerce_checkout_order_createdsrc\Features\Order.php:25

actionwoocommerce_order_status_changedsrc\Features\Order.php:26

actionsmartemailing_subscribesrc\Features\Order.php:27

actionadmin_action_se_update_listssrc\Integrations\SmartEmailingApi.php:53

actionadmin_noticessrc\Integrations\SmartEmailingApi.php:54

actionwidgets_initsrc\Managers\WidgetsManager.php:10

filterplugin_action_links_smartemailing/smartemailing.phpsrc\Plugin.php:29

actionadmin_initsrc\Settings\GeneralSettings.php:42

actionadmin_initsrc\Settings.php:20

Maintenance & Trust

SmartEmailing Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJan 22, 2025

PHP min version8.0.0

Downloads10K

Community Trust

Rating0/100

Number of ratings0

Active installs600

Alternatives

SmartEmailing Alternatives

No alternatives data available yet.

Developer Profile

SmartEmailing Developer Profile

SmartEmailing

1 plugin · 600 total installs

trust score

Avg Security Score

91/100

Avg Patch Time

18 days

View full developer profile

Detection Fingerprints

How We Detect SmartEmailing

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/smartemailing/smartemailing.php

Script Paths

https://app.smartemailing.cz/js/tracking/tracker.js

HTML / DOM Fingerprints

JS Globals

smartemailing_se

FAQ

SmartEmailing Security & Risk Analysis

Is SmartEmailing Safe to Use in 2026?

Generally Safe

Key Concerns

SmartEmailing Security Vulnerabilities

CVEs by Year

Severity Breakdown

SmartEmailing Release Timeline

SmartEmailing Code Analysis

Bundled Libraries

Output Escaping

SmartEmailing Attack Surface

SmartEmailing Maintenance & Trust

Maintenance Signals

Community Trust

SmartEmailing Alternatives

SmartEmailing Developer Profile

How We Detect SmartEmailing

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about SmartEmailing