WP-Safety

WP Gmail SMTP Security & Risk Analysis

wordpress.org/plugins/wp-gmail-smtp

With WP Gmail SMTP plugin you can connect Gmail to your WordPress website for sending emails. It bypasses the normal WP mail function and sends email …

1K active installs v1.0.7 PHP + WP 3.0.1+ Updated Aug 21, 2018
gmail-protocolgmail-smtpsmtpwp-gmail-smtp
41
D · High Risk
CVEs total2
Unpatched2
Last CVEDec 31, 2025
Download
Safety Verdict

Is WP Gmail SMTP Safe to Use in 2026?

High Risk

Score 41/100

WP Gmail SMTP carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Dec 31, 2025Updated 7yr ago
Risk Assessment

The wp-gmail-smtp plugin exhibits a mixed security posture. While the static analysis shows a good practice in not exposing a significant attack surface through AJAX, REST API, shortcodes, or cron events, and SQL queries are properly prepared, there are notable concerns. The plugin's reliance on external HTTP requests and the presence of a nonce check are positive, but the complete absence of capability checks is a significant weakness. Furthermore, only 73% of output is properly escaped, leaving potential for cross-site scripting vulnerabilities. The vulnerability history is concerning, with two known medium-severity CVEs, both of which are currently unpatched. The historical presence of CSRF and sensitive information exposure vulnerabilities suggests a pattern of weaknesses in input validation and state management. The plugin's strengths lie in its limited attack surface and secure SQL practices, but the unpatched vulnerabilities and lack of robust authorization checks present a substantial risk.

Key Concerns

  • 2 unpatched medium severity CVEs
  • Missing capability checks
  • 27% of output is not properly escaped
  • External HTTP requests (potential for SSRF/MITM)
Vulnerabilities
2

WP Gmail SMTP Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-62123medium · 4.3Cross-Site Request Forgery (CSRF)

Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery

Dec 31, 2025Unpatched
CVE-2025-53232medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Gmail SMTP <= 1.0.7 - Sensitive Information Exposure

Oct 10, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

WP Gmail SMTP Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
16 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

73% escaped22 total outputs
Attack Surface

WP Gmail SMTP Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 8
actionphpmailer_initincludes\class-smtp-mailer.php:12
filterwp_mail_fromincludes\class-smtp-mailer.php:14
filterwp_mail_from_nameincludes\class-smtp-mailer.php:15
actionadmin_menuwp-gmail-smtp.php:46
filterplugin_action_linkswp-gmail-smtp.php:47
actionadmin_initwp-gmail-smtp.php:53
actionadmin_noticeswp-gmail-smtp.php:55
filterwp_mail_content_typewp-gmail-smtp.php:136
Maintenance & Trust

WP Gmail SMTP Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedAug 21, 2018
PHP min version
Downloads49K

Community Trust

Rating64/100
Number of ratings5
Active installs1K
Alternatives

WP Gmail SMTP Alternatives

GoSMTP – SMTP for WordPress

GoSMTP – SMTP for WordPress

gosmtp

A
100

Send emails from your WordPress site using your preferred SMTP provider like Gmail, Outlook, AWS, Zoho, SMTP.com, Brevo (formerly Sendinblue), Mailgun &hellip;

500K No CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 23 CVEs
SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

suremails

A
97

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

200K 1 CVE
WP Offload SES Lite

WP Offload SES Lite

wp-ses

A
100

Fix your email delivery problems by sending your WordPress emails through Amazon SES's powerful email sending infrastructure.

10K 1 CVE
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

yaysmtp

A
90

Send WordPress emails successfully with WP Mail SMTP via your favorite mailer

10K 8 CVEs
Developer Profile

WP Gmail SMTP Developer Profile

inkthemes

5 plugins · 3K total installs

71
trust score
Avg Security Score
67/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Gmail SMTP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-gmail-smtp/assets/js/main.js/wp-content/plugins/wp-gmail-smtp/assets/css/style.css
Script Paths
/wp-content/plugins/wp-gmail-smtp/assets/js/main.js
Version Parameters
wp-gmail-smtp/assets/js/main.js?ver=wp-gmail-smtp/assets/css/style.css?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP Gmail SMTP