Does WP-EMail have any unpatched vulnerabilities?

No. All known vulnerabilities in WP-EMail have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-EMail compatible with WordPress 6.7.5?

According to WordPress.org data, WP-EMail 2.69.2 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is WP-EMail updated?

WP-EMail was last updated on Dec 18, 2024. Frequent updates are generally a positive security signal.

What is WP-EMail's security score?

WP-EMail has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-EMail Security & Risk Analysis

wordpress.org/plugins/wp-email

Allows people to recommend/send your WordPress blog's post/page to a friend.

2K active installs v2.69.2 PHP + WP 4.6+ Updated Dec 18, 2024

e-mailemailmailrecommendwp-email

A · Safe

CVEs total5

Unpatched0

Last CVEJul 24, 2023

Plugin page Download

Safety Verdict

Is WP-EMail Safe to Use in 2026?

Generally Safe

Score 88/100

WP-EMail has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jul 24, 2023Updated 1yr ago

Risk Assessment

The "wp-email" plugin version 2.69.2 exhibits a mixed security posture. On the positive side, static analysis reveals no direct critical or high severity taint flows, no dangerous functions, and no external HTTP requests. The plugin also incorporates nonce and capability checks on some of its entry points. However, significant concerns arise from its past vulnerability history, which includes a critical and a high severity vulnerability, alongside several medium ones, pointing to recurring security weaknesses such as authorization bypass, CSRF, XSS, and SQL injection. The static analysis also flags a substantial number of SQL queries, with only 50% using prepared statements, indicating a potential for SQL injection if not handled meticulously across all queries.

Furthermore, a notable weakness is the low percentage of properly escaped outputs (38%), suggesting a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. While the current version has no unpatched CVEs and a seemingly limited attack surface with no unprotected entry points detected in the static analysis, the historical prevalence of critical and high-severity flaws, coupled with the observed issues in SQL query preparation and output escaping, suggests that the plugin has a history of developing exploitable vulnerabilities. The conclusion is that while the plugin has made some improvements in its current version, the historical pattern and current code signals warrant significant caution due to the potential for new vulnerabilities to emerge.

Key Concerns

History of critical and high severity vulnerabilities
Low percentage of properly escaped outputs
50% of SQL queries not using prepared statements
Total of 5 known CVEs, indicating past significant issues
Presence of authorization bypass, CSRF, XSS, SQLi history

Vulnerabilities

WP-EMail Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

2 CVEs in 2022

2022

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

5 total CVEs

CVE-2023-3721medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-EMail <= 2.69.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 24, 2023 Patched in 2.69.1 (183d)

CVE-2022-1614medium · 6.5Authorization Bypass Through User-Controlled Key

WP-EMail <= 2.68.2 - Spam Protection Bypass

May 30, 2022 Patched in 2.69.0 (603d)

CVE-2022-1630medium · 6.1Cross-Site Request Forgery (CSRF)

WP-EMail <= 2.68.2 - Cross-Site Request Forgery to Log Deletion

May 30, 2022 Patched in 2.69.0 (603d)

WF-4ebbe9a4-3769-4e05-9377-907b43e3fe10-wp-emailhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-EMail <= 2.67.2 - Unauthenticated Cross-Site Scripting

Jul 7, 2016 Patched in 2.67.3 (2756d)

WF-af90aef0-fd96-43ff-8400-09bd5cebed28-wp-emailcritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP-EMail < 2.67.2 - SQL Injection

May 14, 2016 Patched in 2.67.2 (2810d)

Code Analysis

Analyzed Mar 16, 2026

WP-EMail Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

47 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared16 total queries

Output Escaping

38% escaped124 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

<email-manager> (email-manager.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP-EMail Attack Surface

Entry Points7

Unprotected0

AJAX Handlers 2

authwp_ajax_emailwp-email.php:746

noprivwp_ajax_emailwp-email.php:747

Shortcodes 5

[email_link] wp-email.php:216

[donotemail] wp-email.php:230

[donotprint] wp-email.php:396

[donotemail] wp-email.php:399

[email_link] wp-email.php:401

WordPress Hooks 21

filterwp_titleemail-popup.php:6

filterthe_titleemail-popup.php:7

actionwp_heademail-standalone.php:6

filterwp_titleemail-standalone.php:7

actionloop_startemail-standalone.php:8

filtercomments_openemail-standalone.php:9

actionadmin_menuwp-email.php:42

actioninitwp-email.php:51

filterquery_varswp-email.php:59

actionwp_headwp-email.php:68

actionwp_enqueue_scriptswp-email.php:75

filterthe_titlewp-email.php:264

filterthe_contentwp-email.php:265

filteremail_form-fieldvalueswp-email.php:507

actiontemplate_redirectwp-email.php:727

actionplugins_loadedwp-email.php:1194

filterwp_stats_page_admin_pluginswp-email.php:1196

filterwp_stats_page_admin_mostwp-email.php:1197

filterwp_stats_page_pluginswp-email.php:1198

filterwp_stats_page_mostwp-email.php:1199

actionwidgets_initwp-email.php:1363

Maintenance & Trust

WP-EMail Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 18, 2024

PHP min version

Downloads515K

Community Trust

Rating90/100

Number of ratings11

Active installs2K

Alternatives

WP-EMail Alternatives

Email

Email users with custom templates when certain actions happen, such as new posts or updated custom post types and keep a log of sent emails.

60 No CVEs

Change Mail Sender

cb-change-mail-sender

Easily change the default WordPress from email name and from email address.

20K No CVEs

Postie

postie

Postie allows you to create posts via email, including many advanced features not found in WordPress's default Post by Email feature.

10K 5 CVEs

ShopMagic – email automation

shopmagic-for-woocommerce

Flexible email automation and workflows triggered by customer and site events.

10K 2 CVEs

WP Change Default From Email

wp-change-default-from-email

A simple and easy way to change the from email address and from email name that appear on emails sent from WordPress.

10K No CVEs

Developer Profile

WP-EMail Developer Profile

Lester Chan

20 plugins · 889K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

1377 days

View full developer profile

Detection Fingerprints

How We Detect WP-EMail

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-email/email-css.css/wp-content/plugins/wp-email/email-css-rtl.css/wp-content/plugins/wp-email/email-js.js

Script Paths

/wp-content/plugins/wp-email/email-js.js

Version Parameters

wp-email/email-css.css?ver=wp-email/email-css-rtl.css?ver=wp-email/email-js.js?ver=

HTML / DOM Fingerprints

CSS Classes

WP-EmailIcon

Data Attributes

email_popup(this.href)

JS Globals

emailL10n

FAQ