Subscribers – Free Web Push Notifications Security & Risk Analysis

wordpress.org/plugins/subscribers-com

Web push notifications for your website. Available in Chrome, Firefox, Edge, Opera, Android, Safari, AMP.

1K active installs v1.7.5 PHP 7.4+ WP 5.2+ Updated Mar 31, 2026
notificationspush-notificationssubscribesubscribersweb-push
100
A · Safe
CVEs total1
Unpatched0
Last CVEApr 19, 2023
Safety Verdict

Is Subscribers – Free Web Push Notifications Safe to Use in 2026?

Generally Safe

Score 100/100

Subscribers – Free Web Push Notifications has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 19, 2023Updated 3mo ago
Risk Assessment

The "subscribers-com" v1.6 plugin exhibits a mixed security posture. On the positive side, the static analysis indicates a very small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, none of these entry points are found to be unprotected. The plugin also demonstrates good practices by exclusively using prepared statements for SQL queries and not making external HTTP requests or performing file operations, which are common sources of vulnerabilities. However, a significant concern arises from the complete lack of output escaping for all identified output points. This means that any data displayed by the plugin, if it originates from user input or external sources, could be rendered in a way that allows for Cross-Site Scripting (XSS) attacks.

The vulnerability history, while not showing any currently unpatched CVEs, reveals a past medium-severity vulnerability related to Cross-Site Scripting. The fact that this was the last vulnerability and it's marked as resolved is positive, but the presence of even one medium-severity XSS in the past, combined with the current lack of output escaping, strongly suggests a recurring or latent risk. The absence of capability checks and nonce checks, while not directly problematic given the zero attack surface, suggests a lack of defensive depth that could become an issue if the attack surface were to expand or change in future versions.

In conclusion, while the plugin has a remarkably small attack surface and adheres to some secure coding practices like prepared statements, the critical flaw of unescaped output presents a high risk for XSS vulnerabilities. The historical data reinforces this concern. Developers should prioritize implementing proper output escaping to mitigate this significant weakness.

Key Concerns

  • All identified outputs are unescaped
  • No capability checks present
  • No nonce checks present
  • Past medium vulnerability for XSS
Vulnerabilities
1 published

Subscribers – Free Web Push Notifications Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-22684medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Subscribers – Free Web Push Notifications <= 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 19, 2023 Patched in 1.5.4 (279d)
Version History

Subscribers – Free Web Push Notifications Release Timeline

v1.7.5Current
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7
v1.6
v1.51 CVE
v1.4.11 CVE
v1.41 CVE
v1.3.21 CVE
v1.3.11 CVE
v1.31 CVE
v1.2.11 CVE
v1.21 CVE
v1.11 CVE
v1.01 CVE
Code Analysis
Analyzed Mar 16, 2026

Subscribers – Free Web Push Notifications Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
8
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped8 total outputs
Attack Surface

Subscribers – Free Web Push Notifications Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 7
actionwp_footersubscribers.php:56
actionadmin_menusubscribers.php:57
actionadmin_initsubscribers.php:58
actionadmin_noticessubscribers.php:59
actionadmin_initsubscribers.php:91
actionparse_requestsubscribers.php:112
filterquery_varssubscribers.php:113
Maintenance & Trust

Subscribers – Free Web Push Notifications Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 31, 2026
PHP min version7.4
Downloads74K

Community Trust

Rating58/100
Number of ratings8
Active installs1K
Developer Profile

Subscribers – Free Web Push Notifications Developer Profile

subscribers

1 plugin · 1K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
279 days
View full developer profile
Detection Fingerprints

How We Detect Subscribers – Free Web Push Notifications

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/subscribers-com/firebase-messaging-sw.js.php
Script Paths
https://subscribers.com/assets/subscribers.js

HTML / DOM Fingerprints

HTML Comments
<!-- Start Subscriber Embed Code --><!-- End Subscriber Embed Code -->
Data Attributes
id="subscribers_hash"id="subscribers_lang"
JS Globals
var subscribersSiteId =var subscribersServiceWorkerPath =
FAQ

Frequently Asked Questions about Subscribers – Free Web Push Notifications