Does WP Mail have any unpatched vulnerabilities?

Yes — WP Mail currently has 2 published unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WP Mail compatible with WordPress 4.6.30?

According to WordPress.org data, WP Mail 1.3 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is WP Mail updated?

WP Mail was last updated on Oct 6, 2016. Frequent updates are generally a positive security signal.

What is WP Mail's security score?

WP Mail has a WP-Safety security score of 39/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Mail Security & Risk Analysis

wordpress.org/plugins/wp-mail

WP Mail plugin is simply a wp network mail or message system. User can send mail or messages to other users over one wp network.

600 active installs v1.3 PHP + WP 3.4+ Updated Oct 6, 2016

mailmail-systemmailerssend-mailwp_mail

D · High Risk

CVEs total3

Unpatched2

Last CVEJan 16, 2026

Plugin page Download

Safety Verdict

Is WP Mail Safe to Use in 2026?

High Risk

Score 39/100

WP Mail carries significant security risk with 3 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 2 unpatched Last CVE: Jan 16, 2026Updated 9yr ago

Risk Assessment

The wp-mail plugin v1.3 exhibits a concerning security posture due to significant weaknesses in its attack surface and output handling, compounded by a history of vulnerabilities. While the absence of dangerous functions and file operations is positive, the presence of unprotected AJAX handlers presents a direct entry point for potential attacks. The high proportion of unsanitized paths identified in the taint analysis, coupled with a low rate of proper output escaping, strongly suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the plugin has a history of three known CVEs, with two currently unpatched, and the common vulnerability type being XSS reinforces these concerns. Although the use of prepared statements for SQL queries is a positive practice, it doesn't mitigate the other identified risks.

Key Concerns

Unprotected AJAX handlers
High percentage of unsanitized paths
Low percentage of properly escaped output
Two unpatched CVEs
History of XSS vulnerabilities

Vulnerabilities

3 published

WP Mail Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2025 · unpatched

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-68008medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mail <= 1.3 - Reflected Cross-Site Scripting

Jan 16, 2026Unpatched

CVE-2025-58822medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Mail <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 5, 2025Unpatched

CVE-2017-5942medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Mail <= 1.1 - Reflected Cross-Site Scripting

Jul 23, 2016 Patched in 1.2 (2740d)

Version History

WP Mail Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

WP Mail Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

20 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

58% prepared12 total queries

Output Escaping

27% escaped73 total outputs

Data Flows · Security

4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths

mk_pagenavi (wp-mail.php:481)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

WP Mail Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 2

authwp_ajax_wp_mailwp-mail.php:31

noprivwp_ajax_wp_mailwp-mail.php:32

Shortcodes 1

[wp_mail] wp-mail.php:35

WordPress Hooks 5

actionadmin_menuwp-mail.php:27

actionadmin_enqueue_scriptswp-mail.php:28

actionadmin_initwp-mail.php:30

filterplugin_action_linkswp-mail.php:34

actionwp_headwp-mail.php:36

Maintenance & Trust

WP Mail Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedOct 6, 2016

PHP min version

Downloads10K

Community Trust

Rating100/100

Number of ratings1

Active installs600

Alternatives

WP Mail Alternatives

MailerSend – Official SMTP Integration

mailersend-official-smtp-integration

100

Improve your deliverability and avoid the spam box with MailerSend’s SMTP server. Check your analytics to improve your emails for better conversion!

2K No CVEs

AhaSend Email API

ahasend-email-api

100

Connect your WordPress site to AhaSend for reliable, fast transactional email delivery with easy SMTP integration and real-time tracking.

10 No CVEs

ActiveCampaign Postmark for WordPress

postmark-approved-wordpress-plugin

The officially-supported ActiveCampaign Postmark plugin for Wordpress.

50K No CVEs

SMTP2GO for WordPress – Email Made Easy

smtp2go

Resolve email delivery issues, increase inbox placement, track sent email, get 24/7 support, and real-time reporting.

30K 2 CVEs

Zoho Mail for WordPress

zoho-mail

100

Zoho Mail Plugin lets you configure your Zoho Mail account on your WordPress site enabling you to send the email via Zoho Mail API.

20K No CVEs

Developer Profile

WP Mail Developer Profile

mndpsingh287

8 plugins · 4.1M total installs

trust score

Avg Security Score

79/100

Avg Patch Time

1115 days

View full developer profile

Detection Fingerprints

How We Detect WP Mail

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-mail/inc/img/icon.png

HTML / DOM Fingerprints

Shortcode Output

[wp_mail]

FAQ