WP-Safety

Email Marketing Plugin – WP Email Capture Security & Risk Analysis

wordpress.org/plugins/wp-email-capture

Double opt-in form for building your email list. Define landing pages to distribute your ebooks & software.

1K active installs v3.12.6 PHP + WP 5.0+ Updated Dec 15, 2025
emailemail-marketinggutenberg-readymailing-listwidget-ready
95
A · Safe
CVEs total5
Unpatched0
Last CVEDec 31, 2025
Plugin page Download
Safety Verdict

Is Email Marketing Plugin – WP Email Capture Safe to Use in 2026?

Generally Safe

Score 95/100

Email Marketing Plugin – WP Email Capture has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 31, 2025Updated 3mo ago
Risk Assessment

The wp-email-capture plugin v3.12.6 exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation (97% prepared) and includes a reasonable number of nonce and capability checks, significant concerns arise from its attack surface and taint analysis. The presence of a single AJAX handler without authentication checks represents a direct entry point for potential malicious activity, especially given the taint analysis revealing 14 flows with unsanitized paths, 4 of which are of high severity. This indicates a risk of input being processed without adequate validation or sanitization, potentially leading to exploits.

The plugin's vulnerability history, with 5 known medium-severity CVEs, also points to past weaknesses in areas such as missing authorization, information exposure, CSRF, and XSS. Although there are no currently unpatched CVEs, the recurring nature of these vulnerability types suggests a pattern of insufficient input validation and authorization checks in the codebase. The plugin's reliance on TinyMCE, while common, also introduces potential risks if the bundled library is outdated. Overall, the plugin has strengths in its database interaction but requires significant attention to its input sanitization, authorization, and attack surface management.

Key Concerns

  • Unprotected AJAX handler
  • High severity taint flows (4)
  • Unsanitized paths in taint flows (14)
  • Low output escaping percentage (40%)
  • History of 5 medium CVEs
  • Bundled TinyMCE library
Vulnerabilities
5

Email Marketing Plugin – WP Email Capture Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-68529medium · 4.3Cross-Site Request Forgery (CSRF)

Email Capture <= 3.12.5 - Cross-Site Request Forgery

Dec 31, 2025 Patched in 3.12.6 (7d)
CVE-2025-67578medium · 4.3Missing Authorization

Email Capture <= 3.12.4 - Missing Authorization

Dec 8, 2025 Patched in 3.12.5 (5d)
CVE-2023-28421medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Information Exposure via wp_email_capture_options_process

Mar 15, 2023 Patched in 3.11 (314d)
CVE-2023-23724medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Email Marketing Plugin – WP Email Capture <= 3.9.3 - Cross Site Request Forgery

Feb 15, 2023 Patched in 3.10 (342d)
CVE-2023-23723medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Email Capture <= 3.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 30, 2023 Patched in 3.10 (358d)
Code Analysis
Analyzed Mar 16, 2026

Email Marketing Plugin – WP Email Capture Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
28 prepared
Unescaped Output
75
50 escaped
Nonce Checks
4
Capability Checks
4
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

97% prepared29 total queries

Output Escaping

40% escaped125 total outputs
Data Flows
14 unsanitized

Data Flow Analysis

15 flows14 with unsanitized paths
wp_email_capture_dashboard_widget (inc\dashboard.php:7)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Email Marketing Plugin – WP Email Capture Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_dismissed_notice_handlerinc\functions.php:381

Shortcodes 1

[wp_email_capture_form] wp-email-capture.php:69
WordPress Hooks 41
filterwp_mail_content_typeinc\functions.php:219
actionwp_email_capture_help_boxesinc\help.php:74
actionwp_email_capture_help_boxesinc\help.php:107
actionwp_email_capture_help_boxesinc\help.php:140
actionwp_email_capture_help_boxesinc\help.php:181
actionwp_email_capture_dashboard_premium_upsellinc\options.php:738
filtermce_external_pluginsinc\tinymce.php:15
filtermce_buttonsinc\tinymce.php:16
actionwpec_trackinginc\tracking.php:26
filterwpec_tracking_filtersinc\tracking.php:27
actioninitwp-email-capture.php:45
actionadmin_initwp-email-capture.php:46
actionwp_dashboard_setupwp-email-capture.php:47
actionadmin_menuwp-email-capture.php:48
actionadmin_noticeswp-email-capture.php:50
actionadmin_noticeswp-email-capture.php:51
actionadmin_initwp-email-capture.php:52
actionadmin_initwp-email-capture.php:53
actionwidgets_initwp-email-capture.php:54
actioninitwp-email-capture.php:57
actionwp_email_capture_signup_actionswp-email-capture.php:58
actionwp_email_capture_confirm_actionswp-email-capture.php:59
actionwp_enqueue_scriptswp-email-capture.php:60
actionadmin_enqueue_scriptswp-email-capture.php:61
filterwp_email_capture_send_emailwp-email-capture.php:62
actionwp_email_capture_set_wp_email_capture_email_settingswp-email-capture.php:63
actionwp_email_capture_set_normal_email_settingswp-email-capture.php:64
actionplugins_loadedwp-email-capture.php:67
actionenqueue_block_editor_assetswp-email-capture.php:73
actionenqueue_block_assetswp-email-capture.php:74
actionwp_email_capture_help_boxeswp-email-capture.php:75
actionwp_email_capture_form_echo_form_before_submit_buttonwp-email-capture.php:82
filterwp_email_capture_display_formwp-email-capture.php:83
actionwp_email_capture_signup_actionswp-email-capture.php:84
actionwp_email_capture_hourlywp-email-capture.php:85
actionadmin_initwp-email-capture.php:87
filterwp_privacy_personal_data_exporterswp-email-capture.php:88
filterwp_privacy_personal_data_eraserswp-email-capture.php:89
actionwp_email_capture_help_boxeswp-email-capture.php:91
actionwp_email_capture_signup_actionswp-email-capture.php:96
actionplugins_loadedwp-email-capture.php:101

Scheduled Events 1

wp_email_capture_hourly
Maintenance & Trust

Email Marketing Plugin – WP Email Capture Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 15, 2025
PHP min version
Downloads307K

Community Trust

Rating86/100
Number of ratings19
Active installs1K
Alternatives

Email Marketing Plugin – WP Email Capture Alternatives

Benchmark Email Lite

Benchmark Email Lite

benchmark-email-lite

A
99

Your Wordpress Site and Email Marketing all in one place!

1K 1 CVE
Mailster Gravity Forms

Mailster Gravity Forms

mailster-gravity-forms

A
92

Integrates Mailster Newsletter Plugin with Gravity Forms to subscribe users with a Gravity Form.

900 No CVEs
Get a Newsletter

Get a Newsletter

getanewsletter

A
100

Turn visitors into subscribers. Eliminate manual entry of subscribers with signup forms that sync directly with your Get a Newsletter account.

400 No CVEs
Connect Contact Form 7 and AWeber

Connect Contact Form 7 and AWeber

integrate-contact-form-7-and-aweber

A
98

Integrate AWeber mailing lists with Contact Form 7. Automatically add form subscribers to your AWeber lists.

300 2 CVEs
McPopup – Popup Form for Mailchimp

McPopup – Popup Form for Mailchimp

mcpopup-popup-form-for-mailchimp

A
85

The easiest way to display Mailchimp Popup form on a WordPress site. Responsive Popup form, increase your subscribers on Mailchimp, and many features.

40 No CVEs
Developer Profile

Email Marketing Plugin – WP Email Capture Developer Profile

Rhys Wynne

13 plugins · 7K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
476 days
View full developer profile
Detection Fingerprints

How We Detect Email Marketing Plugin – WP Email Capture

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-email-capture/inc/css/wp-email-capture-styles.css/wp-content/plugins/wp-email-capture/inc/css/wp-email-capture-default-styles.css/wp-content/plugins/wp-email-capture/inc/js/enqueue-invisible.js/wp-content/plugins/wp-email-capture/inc/js/recaptcha-handling.js/wp-content/plugins/wp-email-capture/inc/js/admin-custom.js/wp-content/plugins/wp-email-capture/inc/css/wp-email-capture-admin-styles.css
Script Paths
https://www.google.com/recaptcha/api.jshttps://www.google.com/recaptcha/api.js?render=
Version Parameters
wp-email-capture/inc/css/wp-email-capture-styles.css?ver=wp-email-capture/inc/css/wp-email-capture-default-styles.css?ver=wp-email-capture/inc/js/enqueue-invisible.js?ver=wp-email-capture/inc/js/recaptcha-handling.js?ver=wp-email-capture/inc/js/admin-custom.js?ver=wp-email-capture/inc/css/wp-email-capture-admin-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes
wp_email_capture_form_fieldwp_email_capture_submit_button
HTML Comments
<!--WP Email Capture Form--><!--Email Capture Form--><!--Email Capture Form Field--><!--Email Capture Submit Button-->
Data Attributes
data-recaptcha-site-key
JS Globals
wpec_recaptcha_object
Shortcode Output
[wp_email_capture_form]
FAQ

Frequently Asked Questions about Email Marketing Plugin – WP Email Capture