WP-Safety

Ultimate Newsletter Security & Risk Analysis

wordpress.org/plugins/ultimate-newsletter

A Newsletter Plugin for WordPress. Design a template, send emails, people can subscribe through your website, double opt in option, track sent emails.

50 active installs v1.2.0 PHP + WP 4.4.0+ Updated Mar 18, 2017
email-newsletteremail-newslettersemail-subscriptionemailingnewsletter
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Ultimate Newsletter Safe to Use in 2026?

Generally Safe

Score 85/100

Ultimate Newsletter has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The ultimate-newsletter plugin v1.2.0 presents a mixed security posture. On the positive side, it utilizes prepared statements for all SQL queries and has a relatively good percentage of properly escaped outputs (42%). The absence of known CVEs and common vulnerability types in its history is also a positive indicator. However, several concerns emerge from the static analysis. The presence of 4 AJAX handlers without authentication checks significantly increases the attack surface, making it vulnerable to unauthorized actions. The use of the `create_function` is a dangerous practice that can lead to code injection vulnerabilities if not handled with extreme care, though no critical or high-severity taint flows were detected in this specific analysis. Additionally, the taint analysis revealed 5 flows with unsanitized paths, which could potentially lead to directory traversal or file inclusion vulnerabilities, even if they weren't classified as critical or high in this instance.

While the plugin demonstrates good practices in database interaction and output escaping, the unprotected AJAX endpoints and the presence of unsanitized paths in the taint analysis are significant weaknesses. The lack of capability checks further exacerbates the risk associated with these unprotected entry points. The vulnerability history being clean is encouraging, but it doesn't negate the immediate risks identified in the code. A balanced conclusion is that the plugin has foundational security strengths, but requires immediate attention to address the identified weaknesses in its attack surface and input sanitization to be considered secure.

Key Concerns

  • 4 unprotected AJAX handlers
  • 5 unsanitized paths in taint analysis
  • Use of dangerous function: create_function
  • 0 capability checks
  • 42% output escaping is not proper
Vulnerabilities
None known

Ultimate Newsletter Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Ultimate Newsletter Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
148
108 escaped
Nonce Checks
11
Capability Checks
0
File Operations
12
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function( '', 'register_widget("Ultimate_Newsletter_Widget_Subscrwidgets\subscription-form\subscription-form.php:265

SQL Query Safety

100% prepared4 total queries

Output Escaping

42% escaped256 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

10 flows5 with unsanitized paths
save (admin\class-ultimate-newsletter-admin.php:252)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Ultimate Newsletter Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 4

authwp_ajax_un_send_test_emailincludes\class-ultimate-newsletter.php:134
authwp_ajax_un_settings_send_test_emailincludes\class-ultimate-newsletter.php:161
authwp_ajax_un_add_subscriberwidgets\subscription-form\subscription-form.php:41
noprivwp_ajax_un_add_subscriberwidgets\subscription-form\subscription-form.php:42

Shortcodes 4

[ultimate_newsletter] public\class-ultimate-newsletter-public.php:32
[un_confirmation] public\class-ultimate-newsletter-public.php:33
[un_subscriber_profile] public\class-ultimate-newsletter-public.php:34
[un_unsubscribe] public\class-ultimate-newsletter-public.php:35
WordPress Hooks 32
actionphpmailer_initincludes\class-ultimate-newsletter-mailer.php:154
filterwp_mail_fromincludes\class-ultimate-newsletter-mailer.php:156
filterwp_mail_from_nameincludes\class-ultimate-newsletter-mailer.php:157
filterwp_mail_content_typeincludes\class-ultimate-newsletter-mailer.php:158
actionplugins_loadedincludes\class-ultimate-newsletter.php:114
actionadmin_enqueue_scriptsincludes\class-ultimate-newsletter.php:130
actionadmin_enqueue_scriptsincludes\class-ultimate-newsletter.php:131
actionadmin_menuincludes\class-ultimate-newsletter.php:132
actionadmin_initincludes\class-ultimate-newsletter.php:133
filterset-screen-optionincludes\class-ultimate-newsletter.php:136
actionadmin_menuincludes\class-ultimate-newsletter.php:141
actioninitincludes\class-ultimate-newsletter.php:142
actionparent_fileincludes\class-ultimate-newsletter.php:143
filtermanage_edit-un_email_groups_columnsincludes\class-ultimate-newsletter.php:144
actionadmin_menuincludes\class-ultimate-newsletter.php:149
actionadmin_initincludes\class-ultimate-newsletter.php:150
actionuser_registerincludes\class-ultimate-newsletter.php:151
actionprofile_updateincludes\class-ultimate-newsletter.php:152
actiondelete_userincludes\class-ultimate-newsletter.php:153
actionadmin_noticesincludes\class-ultimate-newsletter.php:154
actionadmin_menuincludes\class-ultimate-newsletter.php:159
actionadmin_initincludes\class-ultimate-newsletter.php:160
filtercron_schedulesincludes\class-ultimate-newsletter.php:166
actionun_cron_send_newslettersincludes\class-ultimate-newsletter.php:167
actioninitincludes\class-ultimate-newsletter.php:183
actioninitincludes\class-ultimate-newsletter.php:184
actionwp_loadedincludes\class-ultimate-newsletter.php:185
actionparse_requestincludes\class-ultimate-newsletter.php:186
actionwp_enqueue_scriptsincludes\class-ultimate-newsletter.php:187
actionwp_enqueue_scriptsincludes\class-ultimate-newsletter.php:188
actionwp_enqueue_scriptswidgets\subscription-form\subscription-form.php:40
actionwidgets_initwidgets\subscription-form\subscription-form.php:265

Scheduled Events 1

un_cron_send_newsletters
Maintenance & Trust

Ultimate Newsletter Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedMar 18, 2017
PHP min version
Downloads6K

Community Trust

Rating90/100
Number of ratings6
Active installs50
Alternatives

Ultimate Newsletter Alternatives

Plugin Name: FeedBlitz Member Mail

Plugin Name: FeedBlitz Member Mail

feedblitz-membermail

A
85

Build your FeedBlitz email newsletter subscription list faster with simple checkboxes on user registration and / or comment forms.

20 No CVEs
Drip for WordPress

Drip for WordPress

email-marketing

A
85

Do you sell online? If so you need our new Drip for WooCommerce Plugin instead of this one. It includes your entire product catalog, order history int …

2K No CVEs
Email Marketing by SendX

Email Marketing by SendX

email-marketing-by-sendx

A
85

SendX is a lead-generation and marketing automation platform to grow your web business. In simple words it is marketing for non-marketers.

100 No CVEs
User Role Sync for MailPoet

User Role Sync for MailPoet

mp-user-roles-sync

A
85

Automatically syncrhonized lists for MailPoet based on user roles.

40 No CVEs
Apricotrocket CRM Plugin

Apricotrocket CRM Plugin

apricot-rocket-crm

A
85

Make your website interactive by adding an integrated CRM database, custom forms, email newsletters, marketing automation and drip marketing tool.

10 No CVEs
Developer Profile

Ultimate Newsletter Developer Profile

Yendif Player

1 plugin · 50 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Newsletter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-newsletter/admin/css/ultimate-newsletter-admin.css/wp-content/plugins/ultimate-newsletter/admin/js/ultimate-newsletter-admin.js
Script Paths
https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.2/themes/smoothness/jquery-ui.csshttps://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.3/css/font-awesome.min.css
Version Parameters
ultimate-newsletter/admin/css/ultimate-newsletter-admin.css?ver=ultimate-newsletter/admin/js/ultimate-newsletter-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
ultimate-newsletter-admin-wrap
Data Attributes
data-noncedata-urldata-input-iddata-input-typedata-input-placeholder
JS Globals
un
FAQ

Frequently Asked Questions about Ultimate Newsletter