
Subscribers – Free Web Push Notifications Security & Risk Analysis
wordpress.org/plugins/subscribers-comWeb push notifications for your website. Available in Chrome, Firefox, Edge, Opera, Android, Safari, AMP.
Is Subscribers – Free Web Push Notifications Safe to Use in 2026?
Generally Safe
Score 100/100Subscribers – Free Web Push Notifications has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The "subscribers-com" v1.6 plugin exhibits a mixed security posture. On the positive side, the static analysis indicates a very small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, none of these entry points are found to be unprotected. The plugin also demonstrates good practices by exclusively using prepared statements for SQL queries and not making external HTTP requests or performing file operations, which are common sources of vulnerabilities. However, a significant concern arises from the complete lack of output escaping for all identified output points. This means that any data displayed by the plugin, if it originates from user input or external sources, could be rendered in a way that allows for Cross-Site Scripting (XSS) attacks.
The vulnerability history, while not showing any currently unpatched CVEs, reveals a past medium-severity vulnerability related to Cross-Site Scripting. The fact that this was the last vulnerability and it's marked as resolved is positive, but the presence of even one medium-severity XSS in the past, combined with the current lack of output escaping, strongly suggests a recurring or latent risk. The absence of capability checks and nonce checks, while not directly problematic given the zero attack surface, suggests a lack of defensive depth that could become an issue if the attack surface were to expand or change in future versions.
In conclusion, while the plugin has a remarkably small attack surface and adheres to some secure coding practices like prepared statements, the critical flaw of unescaped output presents a high risk for XSS vulnerabilities. The historical data reinforces this concern. Developers should prioritize implementing proper output escaping to mitigate this significant weakness.
Key Concerns
- All identified outputs are unescaped
- No capability checks present
- No nonce checks present
- Past medium vulnerability for XSS
Subscribers – Free Web Push Notifications Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Subscribers – Free Web Push Notifications <= 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Subscribers – Free Web Push Notifications Release Timeline
Subscribers – Free Web Push Notifications Code Analysis
Output Escaping
Subscribers – Free Web Push Notifications Attack Surface
WordPress Hooks 7
Maintenance & Trust
Subscribers – Free Web Push Notifications Maintenance & Trust
Maintenance Signals
Community Trust
Subscribers – Free Web Push Notifications Alternatives
SmartPush – Free Web Push Notifications
smartpush-web-push-notifications
Web push notifications for your website. Available in Chrome & Firefox (desktop) with support for Android and Safari coming soon.
Push Notifications by LaraPush
push-notifications-by-larapush
LaraPush's "Push Notifications" is a premium add-on exclusively available for the larapush pro panel. With this add-on, users can easil …
PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget
pushengage
The #1 push notification plugin for WordPress & WooCommerce. Recover abandoned carts, automate alerts, and grow subscribers — no code needed.
Web Push Notifications – Webpushr
webpushr-web-push-notifications
Fastest growing & lightweight plugin for Web Push Notifications. Add browser push notifications to your WordPress & WooCommerce site.
Perfecty Push Notifications
perfecty-push-notifications
Push Notifications that are self-hosted, you don't need API keys to integrate with external Push Notifications providers that will charge you lat …
Subscribers – Free Web Push Notifications Developer Profile
1 plugin · 1K total installs
How We Detect Subscribers – Free Web Push Notifications
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/subscribers-com/firebase-messaging-sw.js.phphttps://subscribers.com/assets/subscribers.jsHTML / DOM Fingerprints
<!-- Start Subscriber Embed Code --><!-- End Subscriber Embed Code -->id="subscribers_hash"id="subscribers_lang"var subscribersSiteId =var subscribersServiceWorkerPath =