Does turboSMTP have any unpatched vulnerabilities?

No. All known vulnerabilities in turboSMTP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is turboSMTP compatible with WordPress 6.9.4?

According to WordPress.org data, turboSMTP 4.9.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is turboSMTP updated?

turboSMTP was last updated on Dec 2, 2025. Frequent updates are generally a positive security signal.

What is turboSMTP's security score?

turboSMTP has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

turboSMTP Security & Risk Analysis

wordpress.org/plugins/turbosmtp

Easily send emails from your WordPress website using turboSMTP's services

400 active installs v4.9.7 PHP + WP 6.0+ Updated Dec 2, 2025

emailmailersmtpsslturbosmtp

A · Safe

CVEs total2

Unpatched0

Last CVEJan 14, 2025

Plugin page Download

Safety Verdict

Is turboSMTP Safe to Use in 2026?

Generally Safe

Score 99/100

turboSMTP has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 14, 2025Updated 4mo ago

Risk Assessment

The TurboSMTP plugin v4.9.7 presents a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and has no known unpatched vulnerabilities, significant concerns arise from its attack surface. Specifically, all five identified AJAX handlers lack authentication checks, creating a direct pathway for unauthorized actions. The limited taint analysis reveals no critical or high-severity issues, which is positive, but the static analysis indicates a moderate percentage of output is not properly escaped, hinting at potential cross-site scripting (XSS) risks if user input is directly reflected without sufficient sanitization.

The vulnerability history shows two past medium-severity CVEs, both related to Cross-Site Scripting. Although these are patched and the plugin currently has no unpatched issues, the recurring nature of XSS vulnerabilities warrants attention. This pattern suggests that while past vulnerabilities have been addressed, ongoing vigilance is required to prevent similar issues from re-emerging. The lack of capability checks on AJAX handlers is a substantial weakness, allowing any user to potentially interact with these points, exacerbating the risk posed by any undiscovered or future vulnerabilities.

In conclusion, TurboSMTP v4.9.7 has strengths in its SQL handling and prompt patching of past vulnerabilities. However, the unprotected AJAX handlers represent a critical security gap that needs immediate attention. The history of XSS vulnerabilities, coupled with a portion of unescaped output, suggests a need for more robust input validation and output encoding practices to ensure a secure user experience and prevent potential data breaches or defacement.

Key Concerns

All AJAX handlers lack authentication checks
Moderate percentage of output unescaped
No capability checks on AJAX handlers
History of medium severity XSS vulnerabilities

Vulnerabilities

turboSMTP Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-22753medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

turboSMTP <= 4.6 - Reflected Cross-Site Scripting

Jan 14, 2025 Patched in 4.7 (9d)

CVE-2024-12323medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

turboSMTP <= 4.6 - Reflected Cross-Site Scripting via 'page'

Dec 9, 2024 Patched in 4.7 (2d)

Code Analysis

Analyzed Mar 16, 2026

turboSMTP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

37 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

60% escaped62 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

<credentials> (admin\partials\credentials.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

turboSMTP Attack Surface

Entry Points5

Unprotected5

AJAX Handlers 5

authwp_ajax_turbosmtp_generate_api_keysincludes\class-turbosmtp.php:168

authwp_ajax_turbosmtp_get_stats_chartincludes\class-turbosmtp.php:171

authwp_ajax_turbosmtp_get_stats_historyincludes\class-turbosmtp.php:172

authwp_ajax_turbosmtp_send_test_emailincludes\class-turbosmtp.php:174

authwp_ajax_turbosmtp_disconnect_accountincludes\class-turbosmtp.php:175

WordPress Hooks 14

actionwp_mail_failedadmin\class-turbosmtp-admin.php:141

filterturbosmtp_disconnect_if_api_response_401admin\class-turbosmtp-admin.php:250

filterturbosmtp_disconnect_if_api_response_401admin\class-turbosmtp-admin.php:467

actionadmin_enqueue_scriptsincludes\class-turbosmtp.php:161

actionadmin_enqueue_scriptsincludes\class-turbosmtp.php:162

actionadmin_menuincludes\class-turbosmtp.php:164

actionadmin_noticesincludes\class-turbosmtp.php:167

actionadmin_post_turbosmtp_save_send_optionsincludes\class-turbosmtp.php:173

actionadmin_post_save_api_keysincludes\class-turbosmtp.php:179

actionwp_enqueue_scriptsincludes\class-turbosmtp.php:200

actionwp_enqueue_scriptsincludes\class-turbosmtp.php:201

actionturbosmtp_api_responseincludes\class-turbosmtp.php:202

actionpre_wp_mailincludes\class-turbosmtp.php:205

actionphpmailer_initincludes\class-turbosmtp.php:206

Maintenance & Trust

turboSMTP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 2, 2025

PHP min version

Downloads15K

Community Trust

Rating88/100

Number of ratings8

Active installs400

Alternatives

turboSMTP Alternatives

WP SMTP Config

wp-smtp-config

Configure an external SMTP server in your config file.

200 No CVEs

SMTP Mailer

smtp-mailer

Configure a SMTP server to send email from your WordPress site. Configure the wp_mail() function to use SMTP instead of the PHP mail() function.

70K 1 CVE

WPO365 | MICROSOFT 365 GRAPH MAILER

wpo365-msgraphmailer

Send WordPress emails from a M365 / Exchange Online Mailbox using Microsoft Graph, leveraging OAuth for authentication which is more secure than SMTP

10K 1 CVE

Configure SMTP

configure-smtp

Configure SMTP mailing in WordPress, including support for sending email via SSL/TLS (such as Gmail).

7K 1 CVE

MailerSend – Official SMTP Integration

mailersend-official-smtp-integration

100

Improve your deliverability and avoid the spam box with MailerSend’s SMTP server. Check your analytics to improve your emails for better conversion!

2K No CVEs

Developer Profile

turboSMTP Developer Profile

turboSMTP

3 plugins · 510 total installs

100

trust score

Avg Security Score

100/100

Avg Patch Time

6 days

View full developer profile

Detection Fingerprints

How We Detect turboSMTP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/turbosmtp/admin/css/turbosmtp-admin.css/wp-content/plugins/turbosmtp/admin/js/turbosmtp-admin.js

Script Paths

/wp-content/plugins/turbosmtp/admin/js/turbosmtp-admin.js

Version Parameters

turbosmtp-admin-css?ver=turbosmtp-admin-js?ver=

HTML / DOM Fingerprints

CSS Classes

turbosmtp-config-wrapperturbosmtp-field-wrapperturbosmtp-btn-primaryturbosmtp-btn-secondary

HTML Comments

+1 more

Data Attributes

data-turbosmtp-noncedata-turbosmtp-send-test-email-nonce

JS Globals

window.turbosmtp_ajax_object

FAQ