WP-Safety

WP Email Template Security & Risk Analysis

wordpress.org/plugins/wp-email-template

Add a beautiful HTML Template to all WordPress and plugin generated emails. Send email options - SMTP, Gmail, Mandrill, SparkPost, GoDaddy Hosting sup …

2K active installs v2.8.5 PHP + WP 6.0+ Updated Dec 2, 2025
contactemailemail-templatewordpress-emailwordpress-email-template
73
B · Generally Safe
CVEs total3
Unpatched1
Last CVESep 5, 2025
Plugin page Download
Safety Verdict

Is WP Email Template Safe to Use in 2026?

Mostly Safe

Score 73/100

WP Email Template is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Sep 5, 2025Updated 4mo ago
Risk Assessment

The "wp-email-template" v2.8.5 plugin exhibits a mixed security posture. While it demonstrates good practices in using prepared statements for SQL queries (73%) and proper output escaping (96%), significant concerns arise from its attack surface. Notably, both of its AJAX handlers lack authentication checks, creating a direct entry point for unauthorized actions.

Taint analysis, though limited in scope with only 8 flows, revealed 4 flows with unsanitized paths, indicating a potential for vulnerabilities if these paths were to interact with user-supplied data. The plugin's vulnerability history is also a significant red flag, with 3 known CVEs, including one high-severity unpatched vulnerability. The common types of past vulnerabilities (CSRF, XSS) suggest a pattern of input validation and authorization weaknesses.

While the plugin strengths lie in its robust output escaping and SQL practices, these are overshadowed by the unprotected AJAX endpoints and the presence of unpatched vulnerabilities. The vulnerability history, particularly the recurring CSRF and XSS issues, combined with the current lack of patching for a high-severity CVE, suggests a need for immediate attention and patching.

Key Concerns

  • Unprotected AJAX handlers
  • Unpatched high severity CVE
  • Flows with unsanitized paths
  • History of CSRF vulnerabilities
  • History of XSS vulnerabilities
Vulnerabilities
3

WP Email Template Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2022
2022
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-58800medium · 4.3Cross-Site Request Forgery (CSRF)

WP Email Template <= 2.8.3 - Cross-Site Request Forgery

Sep 5, 2025Unpatched
WF-0a5a0ca6-f355-4110-a533-04e46c741ec9-wp-email-templatehigh · 8.8Cross-Site Request Forgery (CSRF)

a3 Lazy Load <= 2.6.0 - Cross-Site Request Forgery to Settings Reset

Nov 2, 2022 Patched in 2.6.3 (447d)
CVE-2019-25144medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP HTML Mail < 2.2.11 - HTML injection

Oct 25, 2019 Patched in 2.2.11 (1681d)
Code Analysis
Analyzed Mar 16, 2026

WP Email Template Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
8 prepared
Unescaped Output
39
1010 escaped
Nonce Checks
6
Capability Checks
6
File Operations
24
External Requests
8
Bundled Libraries
2

Bundled Libraries

jQueryGuzzle

SQL Query Safety

73% prepared11 total queries

Output Escaping

96% escaped1049 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
a3_admin_ui_event (admin\admin-interface.php:172)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP Email Template Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_preview_wp_email_templateadmin\email-init.php:54
authwp_ajax_postman_send_test_emailadmin\email-init.php:61
WordPress Hooks 52
actionplugins_loadedadmin\admin-init.php:47
actioninitadmin\admin-interface.php:49
actioninitadmin\admin-interface.php:50
actionadmin_enqueue_scriptsadmin\admin-interface.php:63
actionadmin_enqueue_scriptsadmin\admin-interface.php:64
actionadmin_print_scriptsadmin\admin-interface.php:67
actionadmin_print_footer_scriptsadmin\admin-interface.php:68
actionadmin_enqueue_scriptsadmin\admin-interface.php:79
actioninitadmin\admin-pages\admin-email-template-page.php:117
actionmuplugins_loadedadmin\admin-pages\admin-email-template-page.php:133
actioninitadmin\email-init.php:33
actionadmin_enqueue_scriptsadmin\email-init.php:36
actionadmin_enqueue_scriptsadmin\email-init.php:42
filterplugin_row_metaadmin\email-init.php:45
filterfrm_encode_subjectadmin\email-init.php:58
actionwoocommerce_email_headeradmin\email-init.php:68
actionwoocommerce_email_headeradmin\email-init.php:71
actionwoocommerce_email_footeradmin\email-init.php:74
actionwoocommerce_email_footeradmin\email-init.php:77
filtergform_pre_replace_merge_tagsadmin\email-init.php:80
filterwp_mailadmin\email-init.php:83
filterwp_mail_fromadmin\email-init.php:86
filterwp_mail_from_nameadmin\email-init.php:87
actionphpmailer_initadmin\email-init.php:90
actioninitadmin\email-init.php:97
actionadmin_enqueue_scriptsadmin\includes\uploader\class-uploader.php:59
actionwp_enqueue_scriptsadmin\less\sass.php:22
filterfilesystem_methodadmin\less\sass.php:57
actionplugins_loadedadmin\settings\exclude-emails-settings.php:81
actionplugins_loadedadmin\settings\general-settings.php:83
actionplugins_loadedadmin\settings\send-wp-emails\general-settings.php:81
actionplugins_loadedadmin\settings\social-media-settings.php:81
actionplugins_loadedadmin\settings\style-body-settings.php:81
actionplugins_loadedadmin\settings\style-footer-settings.php:81
actionplugins_loadedadmin\settings\style-header-image-settings.php:81
actionplugins_loadedadmin\settings\style-header-settings.php:81
filterwp_mail_content_typeclasses\class-email-functions.php:403
actionphpmailer_initclasses\class-send-wp-email-functions.php:65
actionphpmailer_initclasses\class-send-wp-email-functions.php:81
actionphpmailer_initclasses\class-send-wp-email-functions.php:106
actionadmin_noticesclasses\class-send-wp-email-functions.php:114
actionphpmailer_initclasses\class-send-wp-email-functions.php:136
actionadmin_noticesclasses\class-send-wp-email-functions.php:142
actionadmin_noticesclasses\class-send-wp-email-functions.php:144
actionadmin_noticesclasses\class-send-wp-email-functions.php:146
actionadmin_noticesclasses\class-send-wp-email-functions.php:161
actionphpmailer_initclasses\class-send-wp-email-functions.php:165
actionadmin_noticesclasses\class-send-wp-email-functions.php:171
actionadmin_noticesclasses\class-send-wp-email-functions.php:173
actionadmin_noticesclasses\class-send-wp-email-functions.php:175
filterwp_mail_content_typeclasses\class-send-wp-email-functions.php:500
actionbefore_woocommerce_initwp-email-template.php:45
Maintenance & Trust

WP Email Template Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0
Last updatedDec 2, 2025
PHP min version
Downloads251K

Community Trust

Rating62/100
Number of ratings35
Active installs2K
Alternatives

WP Email Template Alternatives

EmailKit – Email Customizer for WooCommerce & WP

EmailKit – Email Customizer for WooCommerce & WP

emailkit

A
96

EmailKit is a powerful WordPress and WooCommerce email customizer tool, free for everyone! It allows users to customize and design templates that show &hellip;

70K 3 CVEs
Email addon for CF7

Email addon for CF7

cf7-email-add-on

A
98

Email addon for CF7 plugin provides the responsive Email templates to admin and users.

3K 1 CVE
HTML Template for CF7

HTML Template for CF7

cf7-html-email-template-extension

A
100

Improve your Contact Form 7 emails with a HTML Template.

1K No CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Kadence WooCommerce Email Designer

Kadence WooCommerce Email Designer

kadence-woocommerce-email-designer

A
92

Customize the default WooCommerce email templates design and text through the native WordPress customizer. Preview emails and send test emails.

100K 5 CVEs
Developer Profile

WP Email Template Developer Profile

Steve Truman

13 plugins · 117K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
539 days
View full developer profile
Detection Fingerprints

How We Detect WP Email Template

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-email-template/assets/css/style.css/wp-content/plugins/wp-email-template/assets/css/email-style.css/wp-content/plugins/wp-email-template/assets/js/script.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.min.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.min.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.js/wp-content/plugins/wp-email-template/assets/js/vendor/jquery.min.js+10 more
Script Paths
/wp-content/plugins/wp-email-template/assets/js/script.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.min.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.min.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.js/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.js/wp-content/plugins/wp-email-template/assets/js/vendor/jquery.min.js+8 more
Version Parameters
/wp-content/plugins/wp-email-template/assets/css/style.css?ver=/wp-content/plugins/wp-email-template/assets/css/email-style.css?ver=/wp-content/plugins/wp-email-template/assets/js/script.js?ver=/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.min.js?ver=/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.min.js?ver=/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.bundle.js?ver=/wp-content/plugins/wp-email-template/assets/js/vendor/bootstrap.js?ver=/wp-content/plugins/wp-email-template/assets/js/vendor/jquery.min.js?ver=/wp-content/plugins/wp-email-template/assets/js/admin-interface.js?ver=/wp-content/plugins/wp-email-template/assets/js/admin-init.js?ver=/wp-content/plugins/wp-email-template/assets/js/email-template-admin.js?ver=/wp-content/plugins/wp-email-template/assets/js/send-wp-emails.js?ver=/wp-content/plugins/wp-email-template/assets/css/bootstrap/modal.css?ver=/wp-content/plugins/wp-email-template/assets/js/bootstrap/util.js?ver=/wp-content/plugins/wp-email-template/assets/js/bootstrap/modal.js?ver=/wp-content/plugins/wp-email-template/assets/css/bootstrap/popover.css?ver=/wp-content/plugins/wp-email-template/assets/js/bootstrap/popper.min.js?ver=/wp-content/plugins/wp-email-template/assets/js/bootstrap/tooltip.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp_email_template_admin_pagewp_email_template_admin_interface
HTML Comments
<!-- FILE SECURITY CHECK -->/* "Copyright 2012 A3 Revolution Web Design" This software is distributed under the terms of GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 *//*-----------------------------------------------------------------------------------*//* Admin Interface Constructor */+7 more
Data Attributes
data-toggle="modal"data-target="#a3rev-modal-dialog"data-dismiss="modal"data-backdrop="static"data-keyboard="false"data-dismiss="a3rev-modal-dialog"
JS Globals
wp_email_template_admin_pagewp_email_template_send_wp_emails_pagewp_email_template_admin_initwp_et_send_wp_emailswp_email_template_exclude_subject_dataa3rev_admin_ui_event_nonce+4 more
REST Endpoints
/wp-json/wp-email-template/v1/settings
FAQ

Frequently Asked Questions about WP Email Template