Does Welcome Mat have any unpatched vulnerabilities?

No. All known vulnerabilities in Welcome Mat have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Welcome Mat compatible with WordPress 5.4.19?

According to WordPress.org data, Welcome Mat 1.8 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

Is Welcome Mat compatible with PHP 5.6+?

Welcome Mat requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Welcome Mat updated?

Welcome Mat was last updated on Jul 13, 2020. Frequent updates are generally a positive security signal.

What is Welcome Mat's security score?

Welcome Mat has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Welcome Mat Security & Risk Analysis

wordpress.org/plugins/welcome-mat

WordPress Welcome Mat

20 active installs v1.8 PHP 5.6+ WP 4.8+ Updated Jul 13, 2020

list-buildermailing-listnewslettersubscriptionwelcome-mat

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Welcome Mat Safe to Use in 2026?

Generally Safe

Score 85/100

Welcome Mat has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago

Risk Assessment

The 'welcome-mat' plugin version 1.8 exhibits a generally good security posture, with no recorded vulnerabilities and a strong reliance on prepared statements for SQL queries. The plugin demonstrates an awareness of security by implementing nonce and capability checks. However, a significant concern arises from the taint analysis, which reveals 7 out of 8 analyzed flows with unsanitized paths. While no critical or high severity issues were identified in the taint analysis, this high percentage of unsanitized paths indicates a potential risk for injection vulnerabilities, particularly if these paths are exposed or manipulated by an attacker. Furthermore, the output escaping is only properly implemented in 42% of cases, which could lead to cross-site scripting (XSS) vulnerabilities. The lack of historical vulnerabilities is a positive sign, suggesting developers are either cautious or have previously addressed issues effectively. Overall, while the plugin has a clean vulnerability history and good practices in some areas, the significant number of unsanitized paths and low output escaping rate present notable areas for improvement and potential risk.

Key Concerns

High percentage of unsanitized paths in taint analysis
Low percentage of properly escaped output

Vulnerabilities

None known

Welcome Mat Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Welcome Mat Code Analysis

Dangerous Functions

Raw SQL Queries

39 prepared

Unescaped Output

133

97 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

98% prepared40 total queries

Output Escaping

42% escaped230 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

8 flows7 with unsanitized paths

show (modules\basic_email\screen.php:65)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Welcome Mat Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 84

actiontemplate_redirectclasses\class.data.php:44

actionadmin_noticeclasses\class.maxerror.php:37

actioninitclasses\class.plugin.php:43

actionpost_row_actionsclasses\class.plugin.php:44

filterpost_updated_messagesclasses\class.plugin.php:45

actionmaxinbound_register_editorclasses\editors\core\background.php:6

actionmaxinbound_register_editorclasses\editors\core\button.php:11

actionmaxinbound_register_editorclasses\editors\core\font.php:5

actionmaxinbound_register_editorclasses\editors\core\icon.php:8

actionmaxinbound_register_editorclasses\editors\core\image.php:8

actionmaxinbound_register_editorclasses\editors\core\link.php:5

actionmaxinbound_register_editorclasses\editors\core\metabox.php:5

actionmaxinbound_register_editorclasses\editors\core\none.php:6

actionmaxinbound_register_editorclasses\editors\core\social_icon.php:8

actionmaxinbound_register_editorclasses\editors\core\text.php:5

actionmaxinbound_register_fieldclasses\fields\core\checkbox.php:5

actionmaxinbound_register_fieldclasses\fields\core\color.php:10

actionmaxinbound_register_fieldclasses\fields\core\custom.php:5

actionmaxinbound_register_fieldclasses\fields\core\font.php:9

actionmaxinbound_register_fieldclasses\fields\core\icon.php:9

actionmaxinbound_register_fieldclasses\fields\core\image.php:10

actionmaxinbound_register_fieldclasses\fields\core\radius.php:5

actionmaxinbound_register_fieldclasses\fields\core\richtext.php:10

actionmaxinbound_register_fieldclasses\fields\core\spacer.php:5

actionmaxinbound_register_fieldclasses\fields\core\text.php:10

actionmaxinbound_register_fieldclasses\fields\core\url.php:9

actionadmin_enqueue_scriptsclasses\maxinbound-class.php:36

actionwp_enqueue_scriptsclasses\maxinbound-class.php:37

actionwp_enqueue_scriptsclasses\maxinbound-class.php:38

actionplugins_loadedclasses\maxinbound-class.php:40

actionplugins_loadedclasses\maxinbound-class.php:42

actionplugins_loadedclasses\maxinbound-class.php:43

actionplugins_loadedclasses\maxinbound-class.php:44

actionplugins_loadedclasses\maxinbound-class.php:45

actioninitclasses\maxinbound-class.php:48

actioncurrent_screenclasses\maxinbound-class.php:57

actionload_pageclasses\maxinbound-class.php:58

actionadmin_menuclasses\maxinbound-class.php:61

actionedit_form_after_editorclasses\maxinbound-class.php:62

actionadd_meta_boxesclasses\maxinbound-class.php:63

filter_wp_post_revision_fieldsclasses\maxinbound-class.php:66

actionedit_form_after_titleclasses\maxinbound-class.php:67

actiontemplate_redirectclasses\maxinbound-class.php:76

filterget_media_item_argsclasses\maxinbound-class.php:83

filterbody_classclasses\maxinbound-class.php:604

actionwp_footerclasses\maxinbound-class.php:624

actionbefore_delete_postclasses\templates.php:30

actionsave_postclasses\templates.php:31

actionmaxinbound_register_modulemodules\basic_display\display.php:5

actionmaxinbound_register_modulemodules\basic_email\email.php:5

actionmaxinbound_register_screenmodules\basic_email\screen.php:5

actionmaxinbound_register_modulemodules\basic_redirect\basic_redirect.php:5

actionmaxinbound_register_modulemodules\basic_stats\stats.php:5

actionmaxinbound_register_screenmodules\basic_stats\stats_screen.php:6

actionmaxinbound_register_modulemodules\general\general.php:5

actioninitmodules\general\general.php:63

filterdisplay_post_statesmodules\general\general.php:64

filterpost_row_actionsmodules\general\general.php:65

actionpost_action_archivemodules\general\general.php:66

actionpost_action_unarchivemodules\general\general.php:67

actionadmin_noticesmodules\general\general.php:71

actionmaxinbound_register_screenmodules\general\pro_screen.php:5

actionmaxinbound_register_modulemodules\google_fonts\google_fonts.php:5

actionmaxinbound_register_modulemodules\removal\removal.php:5

actionmaxinbound_register_pro_modulewelcomemat-modules\wm-convertkit-module\convertkit.php:24

actionmaxinbound_register_pro_modulewelcomemat-modules\wm-drip-module\drip.php:17

filterpre_set_site_transient_update_pluginswelcomemat-pro\classes\EDD_SL_Plugin_Updater.php:64

filterplugins_apiwelcomemat-pro\classes\EDD_SL_Plugin_Updater.php:65

actionadmin_initwelcomemat-pro\classes\EDD_SL_Plugin_Updater.php:68

filterpre_set_site_transient_update_pluginswelcomemat-pro\classes\EDD_SL_Plugin_Updater.php:189

actionadmin_noticeswelcomemat-pro\classes\install.php:20

actionadmin_noticeswelcomemat-pro\classes\license.php:27

actionadmin_enqueue_scriptswelcomemat-pro\classes\wmpro-class.php:24

actionmaxinbound_register_screenwelcomemat-pro\classes\wmpro-class.php:25

actionmaxinbound_register_modulewelcomemat-pro\classes\wmpro-class.php:49

actionmaxinbound_register_editorwelcomemat-pro\editors\background.php:7

actionmaxinbound_register_fieldwelcomemat-pro\fields\image.php:11

actionmaxinbound_register_modulewelcomemat-pro\modules\aweber\aweber.php:5

actionmaxinbound_register_modulewelcomemat-pro\modules\campaignmonitor\campaignmonitor.php:5

actionmaxinbound_register_modulewelcomemat-pro\modules\display_pro\display_pro.php:5

actionmaxinbound_register_modulewelcomemat-pro\modules\mailchimp\mailchimp.php:5

actionmaxinbound_register_modulewelcomemat-pro\modules\stats_pro\stats_pro.php:5

actionplugins_loadedwelcomemat-pro\welcomemat-pro.php:21

actionadmin_noticeswelcomemat.php:47

Maintenance & Trust

Welcome Mat Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedJul 13, 2020

PHP min version5.6

Downloads7K

Community Trust

Rating80/100

Number of ratings3

Active installs20

Alternatives

Welcome Mat Alternatives

McPopup – Popup Form for Mailchimp

mcpopup-popup-form-for-mailchimp

The easiest way to display Mailchimp Popup form on a WordPress site. Responsive Popup form, increase your subscribers on Mailchimp, and many features.

40 No CVEs

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

100

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M No CVEs

Newsletter – Send awesome emails from WordPress

newsletter

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K 20 CVEs

Hustle – Email Marketing, Lead Generation, Optins, Popups

wordpress-popup

Setup email optin forms, popups, newsletter forms & subscription forms to generate email leads with the best marketing popup builder

90K 8 CVEs

WP Subscribe

wp-subscribe

WP Subscribe is a simple but powerful subscription plugin which supports MailChimp, Aweber and Feedburner.

9K 1 unpatched

Developer Profile

Welcome Mat Developer Profile

Bas Schuiling

3 plugins · 320 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Welcome Mat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/welcome-mat/assets/css/welcome-mat.css/wp-content/plugins/welcome-mat/assets/js/welcome-mat.js/wp-content/plugins/welcome-mat/assets/libraries/pquery/pquery.js/wp-content/plugins/welcome-mat/assets/libraries/mobile_detect/Mobile_Detect.php/wp-content/plugins/welcome-mat/assets/libraries/autoload/ClassLoader.php

Script Paths

/wp-content/plugins/welcome-mat/assets/js/welcome-mat.js/wp-content/plugins/welcome-mat/assets/libraries/pquery/pquery.js

Version Parameters

welcome-mat/style.css?ver=welcome-mat/welcome-mat.js?ver=

HTML / DOM Fingerprints

CSS Classes

welcome-mat-inputwelcome-mat-submit-button

Data Attributes

data-wm-module

JS Globals

MI

FAQ