WP-Safety

WP Mail Gateway Security & Risk Analysis

wordpress.org/plugins/wp-mail-gateway

Send email from your Wordpress site via SMTP and other 3rd party mail gateway provider. Current it supports Amazon SES, Mailgun, Mandrill, Mailjet, Po …

70 active installs v1.8 PHP 5.6+ WP 4.0+ Updated Mar 24, 2021
emailgatewaymailgunmailjetmandrill
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Mail Gateway Safe to Use in 2026?

Generally Safe

Score 85/100

WP Mail Gateway has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The wp-mail-gateway v1.8 plugin exhibits a mixed security posture. On the positive side, it shows good practices with 100% of its SQL queries using prepared statements and no recorded vulnerabilities in its history. However, there are significant concerns arising from the static analysis. The plugin has a small but entirely unprotected attack surface with three AJAX handlers lacking any authentication or capability checks. Furthermore, the presence of the `unserialize` function without any apparent sanitization or context, coupled with only 50% of outputs being properly escaped, raises red flags for potential code injection and cross-site scripting (XSS) vulnerabilities. The lack of nonce checks on AJAX handlers is a critical oversight that could allow attackers to trigger actions on behalf of authenticated users.

Key Concerns

  • 3 AJAX handlers without auth checks
  • Use of unserialize() without checks
  • 50% of outputs not properly escaped
  • 0 Nonce checks
  • 0 Capability checks
Vulnerabilities
None known

WP Mail Gateway Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Mail Gateway Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
1
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserializereturn unserialize($options);src\Functions.php:230

Bundled Libraries

Guzzle1.1PHPMailer

Output Escaping

50% escaped2 total outputs
Attack Surface
3 unprotected

WP Mail Gateway Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_wmg_get_saved_configssrc\Bootstrap.php:46
authwp_ajax_wmg_save_provider_configsrc\Bootstrap.php:47
authwp_ajax_wmg_test_provider_config_send_mailsrc\Bootstrap.php:48
WordPress Hooks 5
actionadmin_initsrc\Bootstrap.php:18
filterplugin_row_metasrc\Bootstrap.php:20
actionadmin_menusrc\Bootstrap.php:39
actionadmin_enqueue_scriptssrc\Bootstrap.php:43
actionadmin_headsrc\Functions.php:38
Maintenance & Trust

WP Mail Gateway Maintenance & Trust

Maintenance Signals

WordPress version tested5.7.15
Last updatedMar 24, 2021
PHP min version5.6
Downloads3K

Community Trust

Rating68/100
Number of ratings5
Active installs70
Alternatives

WP Mail Gateway Alternatives

Send Emails with Mandrill

Send Emails with Mandrill

send-emails-with-mandrill

A
99

'Send Emails with Mandrill' sends emails that are generated by WordPress through Mandrill, a transactional email service powered by MailChimp.

7K 1 CVE
BLAZING Email Transfer Payment Gateway

BLAZING Email Transfer Payment Gateway

woocommerce-email-money-transfer-gateway

A
92

Many customers in Canada prefer to pay for the merchandise they buy, by e-Transfer (formerly Email Money Transfer).

2K No CVEs
Contact Form 7 to Mailjet

Contact Form 7 to Mailjet

cf7-to-mailjet

A
85

Link Contact Form 7 with Mailjet contact list

600 No CVEs
Freshjet

Freshjet

freshjet

A
85

Send email through wp_mail() but super-powered by Mailjet transactional email. This plugin is probably the most convenient way to use Mailjet transact …

100 No CVEs
Surbma | SMTP

Surbma | SMTP

surbma-smtp

A
85

External SMTP mail configuration via global variables in wp-config.php.

20 No CVEs
Developer Profile

WP Mail Gateway Developer Profile

Shaharia Azam

5 plugins · 470 total installs

81
trust score
Avg Security Score
81/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Mail Gateway

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-mail-gateway/assets/css/bootstrap-wmg.css/wp-content/plugins/wp-mail-gateway/assets/css/sweetalert2.min.css/wp-content/plugins/wp-mail-gateway/assets/css/main.css/wp-content/plugins/wp-mail-gateway/assets/js/popper.min.js/wp-content/plugins/wp-mail-gateway/assets/js/bootstrap.min.js/wp-content/plugins/wp-mail-gateway/assets/js/sweetalert2.min.js/wp-content/plugins/wp-mail-gateway/assets/js/main.js
Script Paths
/wp-content/plugins/wp-mail-gateway/assets/js/popper.min.js/wp-content/plugins/wp-mail-gateway/assets/js/bootstrap.min.js/wp-content/plugins/wp-mail-gateway/assets/js/sweetalert2.min.js/wp-content/plugins/wp-mail-gateway/assets/js/main.js
Version Parameters
wp-mail-gateway/assets/css/bootstrap-wmg.css?ver=wp-mail-gateway/assets/css/sweetalert2.min.css?ver=wp-mail-gateway/assets/css/main.css?ver=wp-mail-gateway/assets/js/popper.min.js?ver=wp-mail-gateway/assets/js/bootstrap.min.js?ver=wp-mail-gateway/assets/js/sweetalert2.min.js?ver=wp-mail-gateway/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
wmgwp-mail-gateway-plugin-adminpage
Data Attributes
data-target="#mailgunModal"data-target="#mailjetModal"data-target="#awsSesModal"data-target="#mandrillModal"data-target="#postmarkModal"data-target="#sendgridModal"+1 more
JS Globals
window.wp_mail_gateway_admin_data
FAQ

Frequently Asked Questions about WP Mail Gateway