[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIbqnCtB-plmMMCxhuKjWFeKx1KrMXtIsd4YiBtn2Y-M":3,"$fkQLQZghxkwi5k8Vzblt92iUSeEvYLo_iX0ztSqtsgSw":446,"$fSPWj4brF8_eytHAdl7cwNOJVbYuzXF5Emjw1aJfSvGU":450},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"discovery_status":32,"vulnerabilities":33,"developer":85,"crawl_stats":39,"alternatives":92,"analysis":192,"fingerprints":431},"wp-mail","WP Mail","1.3","mndpsingh287","https:\u002F\u002Fprofiles.wordpress.org\u002Fmndpsingh287\u002F","\u003Ch4>WP Mail plugin is simply a wp network mail or message system. User can send mail or messages to other users over one wp network.\u003C\u002Fh4>\n\u003Ch4>Key Features of WP Mail\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>WP Mail\u003C\u002Fstrong> – It allows WordPress administrators as well as wordpress users to send\u002Frecieve emails to registered users with in respective wordpress environment or manually typed in registered user’s email addresses.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiuser mails\u003C\u002Fstrong> – You can send mails to multiple users by adding comma seprated mail ids ex:test@domain.com,test2@domain.com.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Mail as draft\u003C\u002Fstrong> – WP users can save message in draft.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>How to use\u003C\u002Fh3>\n\u003Col>\n\u003Cli>First Activate Plugin.\u003C\u002Fli>\n\u003Cli>Go to Wp Mail Menu\u003C\u002Fli>\n\u003Cli>To Create New Mail –  Click Compose Menu \u003C\u002Fli>\n\u003Cli>To Check Message – Click Indox Menu= Minimum requirements for Mail System =\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>*   WordPress 3.3+\u003Cbr \u002F>\n*   PHP 5.x\u003Cbr \u002F>\n*   MySQL 5.x\u003C\u002Fp>\n\u003Cp>If any problem occurs, please contact us at http:\u002F\u002Fwww.webdesi9.com\u002Fsupport\u002F.\u003C\u002Fp>\n","WP Mail plugin is simply a wp network mail or message system. User can send mail or messages to other users over one wp network.",600,9863,100,1,"2016-10-06T06:44:00.000Z","4.6.30","3.4","",[20,21,22,23,24],"mail","mail-system","mailers","send-mail","wp_mail","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-mail\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-mail.zip",39,3,2,"2026-01-16 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[34,59,72],{"id":35,"url_slug":36,"title":37,"description":38,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":39,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":39,"patch_diff_files":48,"patch_trac_url":39,"research_status":49,"research_verified":50,"research_rounds_completed":28,"research_plan":51,"research_summary":52,"research_vulnerable_code":53,"research_fix_diff":54,"research_exploit_outline":55,"research_model_used":56,"research_started_at":57,"research_completed_at":58,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-68008","mail-reflected-cross-site-scripting","Mail \u003C= 1.3 - Reflected Cross-Site Scripting","The Mail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-19 15:52:45",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F217c7916-0bd1-4499-8ecc-00961ddcc6e8?source=api-prod",[],"researched",false,"# Exploitation Research Plan: CVE-2025-68008 (WP Mail \u003C= 1.3)\n\n## 1. Vulnerability Summary\nThe **WP Mail** plugin (versions \u003C= 1.3) contains a reflected cross-site scripting (XSS) vulnerability. The issue arises because the plugin retrieves user-supplied input from URL parameters (typically via `$_GET` or `$_REQUEST`) and echoes it back into the HTML response without adequate sanitization (using functions like `sanitize_text_field`) or output escaping (using functions like `esc_html` or `esc_attr`). This allows an attacker to execute arbitrary JavaScript in the context of a user's session if that user clicks a crafted link.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is likely located in the plugin's admin settings page or a specialized mailing\u002Ftest-mail page.\n*   **Vulnerable Slug:** `wp-mail` (accessible via `wp-admin\u002Foptions-general.php?page=wp-mail` or `wp-admin\u002Fadmin.php?page=wp-mail`).\n*   **Vulnerable Parameter:** Likely a status or message parameter such as `message`, `error`, `s`, or `status` (inferred).\n*   **Authentication:** Unauthenticated. While the victim must be a logged-in administrator for the XSS to have high impact (e.g., account takeover), the attacker does not need any privileges to generate the malicious link.\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an admin page using `add_options_page()` or `add_menu_page()` in the `admin_menu` hook.\n2.  **Logic Path:** The callback function for this admin page (e.g., `wp_mail_settings_page()`) is executed when the `page=wp-mail` parameter is present in the URL.\n3.  **Vulnerable Source:** Inside the callback, the code checks for a specific GET parameter to display feedback (e.g., \"Settings Saved\" or \"Email Sent\").\n    *   *Example:* `$msg = $_GET['message'];`\n4.  **Vulnerable Sink:** The code echoes this variable directly into the HTML.\n    *   *Example:* `echo '\u003Cdiv class=\"updated\">\u003Cp>' . $msg . '\u003C\u002Fp>\u003C\u002Fdiv>';`\n5.  **Lack of Escaping:** Because `$msg` is not wrapped in `esc_html()`, a payload like `\u003Cscript>alert(1)\u003C\u002Fscript>` is executed by the browser.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via GET parameters typically does **not** require a nonce for the reflection itself. Nonces are used to prevent CSRF (Cross-Site Request Forgery) for *actions* that modify state. However, if the reflection only occurs after a successful form submission that *is* nonce-protected, the strategy is as follows:\n\n1.  **Identify Action:** Find the form on the `wp-mail` settings page.\n2.  **Identify Shortcode\u002FPage:** If the plugin has a frontend component, create a post with its shortcode: `wp post create --post_type=page --post_status=publish --post_content='[wp_mail_form]'` (inferred).\n3.  **Extract Nonce:**\n    *   Navigate to the settings page: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=wp-mail\")`.\n    *   Execute JS to find the nonce: `browser_eval(\"document.querySelector('#_wpnonce')?.value || document.querySelector('input[name*=\\\"nonce\\\"]')?.value\")`.\n4.  **Bypass Check:** If the vulnerability is purely in the display of a GET parameter (e.g., a \"error\" message displayed regardless of the action's success), no nonce is needed.\n\n## 5. Exploitation Strategy\nWe will attempt to trigger the XSS by injecting a script into common \"message\" parameters.\n\n### Step 1: Discover the Vulnerable Parameter\nWe will test common parameters used by plugins to display reflected feedback.\n*   **Target URL:** `\u002Fwp-admin\u002Foptions-general.php?page=wp-mail`\n*   **Payloads to test:**\n    1.  `&message=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    2.  `&error=\u003Cimg src=x onerror=alert(1)>`\n    3.  `&s=\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n\n### Step 2: Execution via `http_request`\n```javascript\n\u002F\u002F Example request to trigger reflection\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E\",\n  method: \"GET\",\n  headers: {\n    \"Cookie\": \"admin_session_cookie_here\" \u002F\u002F The agent uses browser_navigate for UI-based XSS\n  }\n});\n```\n\n### Step 3: Proof of Concept via Browser\nThe most effective way to prove XSS is using the `browser_navigate` and `browser_eval` tools to catch the alert or verify the DOM.\n\n1.  Navigate to the URL: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=\u003Cscript>console.log('CVE-2025-68008_EXPLOITED')\u003C\u002Fscript>\")`.\n2.  Check for payload in source: `browser_eval(\"document.body.innerHTML.includes('CVE-2025-68008_EXPLOITED')\")`.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install wp-mail --version=1.3 --activate`\n2.  **Admin User:** Ensure an admin user exists (default in test environments).\n3.  **Configuration:** No specific configuration of the plugin is likely required as the vulnerability exists in the display logic.\n\n## 7. Expected Results\n*   The HTTP response should contain the raw, unescaped payload: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   When viewed in a browser, the JavaScript should execute.\n*   In the `browser_navigate` session, a `console.log` or a specific DOM element created by the script should be detectable.\n\n## 8. Verification Steps\n1.  **Check for Sanitize Functions:** Use WP-CLI to inspect the source code for the sink:\n    `grep -rn \"echo \\$_GET\" wp-content\u002Fplugins\u002Fwp-mail\u002F`\n    `grep -rn \"echo \\$_REQUEST\" wp-content\u002Fplugins\u002Fwp-mail\u002F`\n2.  **Verify Unescaped Output:** Use `http_request` to fetch the page and check if the string matches exactly without HTML entities (e.g., `\u003C` instead of `&lt;`).\n\n## 9. Alternative Approaches\n*   **Attribute Injection:** If the input is reflected inside an attribute (e.g., `value=\"\u003C?php echo $_GET['val']; ?>\"`), use a payload to break out: `\" autofocus onfocus=\"alert(1)`.\n*   **Post-Method Reflection:** If the plugin reflects values from a `POST` request (e.g., after a failed validation), use the `http_request` tool to send a `POST` with the payload and check the resulting body.\n*   **Public Side:** Check if the plugin registers any shortcodes that reflect parameters (e.g., a contact form that echoes back the user's name on \"Thank You\" pages). Use `grep -r \"add_shortcode\" wp-content\u002Fplugins\u002Fwp-mail\u002F` to find them.","The WP Mail plugin for WordPress (versions \u003C= 1.3) is vulnerable to Reflected Cross-Site Scripting (XSS). This vulnerability occurs because the plugin's administrative settings pages echo user-supplied input from URL parameters directly into the HTML response without sufficient sanitization or output escaping.","\u002F\u002F Inferred from research plan logic in wp-mail\u002Fwp-mail.php\n\nif (isset($_GET['message'])) {\n    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F Alternative common pattern for error display\nif (isset($_GET['error'])) {\n    echo '\u003Cdiv class=\"error\">\u003Cp>' . $_GET['error'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}","--- wp-content\u002Fplugins\u002Fwp-mail\u002Fwp-mail.php\n+++ wp-content\u002Fplugins\u002Fwp-mail\u002Fwp-mail.php\n@@ -X,Y +X,Y @@\n-if (isset($_GET['message'])) {\n-    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n-}\n+if (isset($_GET['message'])) {\n+    echo '\u003Cdiv class=\"updated\">\u003Cp>' . esc_html(sanitize_text_field($_GET['message'])) . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+}","The exploit targets the plugin's administration dashboard, specifically the settings page usually located at wp-admin\u002Foptions-general.php?page=wp-mail. An attacker constructs a malicious URL that includes a script payload in a commonly reflected parameter such as 'message', 'error', or 'status'. For example: \u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=\u003Cscript>alert(document.domain)\u003C\u002Fscript>. The attacker then tricks a logged-in administrator into clicking this link via social engineering. Because the plugin does not use esc_html() before echoing the value of the parameter, the script executes in the context of the administrator's session, potentially allowing for session hijacking or unauthorized administrative actions.","gemini-3-flash-preview","2026-05-05 07:51:08","2026-05-05 07:51:28",{"id":60,"url_slug":61,"title":62,"description":63,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":39,"severity":41,"cvss_score":64,"cvss_vector":65,"vuln_type":44,"published_date":66,"updated_date":67,"references":68,"days_to_patch":39,"patch_diff_files":70,"patch_trac_url":39,"research_status":39,"research_verified":50,"research_rounds_completed":71,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-58822","wp-mail-authenticated-contributor-stored-cross-site-scripting","WP Mail \u003C= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The WP Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2025-09-05 00:00:00","2025-09-11 13:32:39",[69],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff3945fbe-5ba0-44e3-ae1d-33a53592da1a?source=api-prod",[],0,{"id":73,"url_slug":74,"title":75,"description":76,"plugin_slug":4,"theme_slug":39,"affected_versions":77,"patched_in_version":78,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":79,"updated_date":80,"references":81,"days_to_patch":83,"patch_diff_files":84,"patch_trac_url":39,"research_status":39,"research_verified":50,"research_rounds_completed":71,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2017-5942","wp-mail-reflected-cross-site-scripting","WP Mail \u003C= 1.1 - Reflected Cross-Site Scripting","An issue was discovered in the WP Mail plugin through version 1.1 for WordPress. The replyto parameter when composing a mail allows for a reflected XSS. This would allow you to execute JavaScript in the context of the user receiving the mail.","\u003C1.2","1.2","2016-07-23 00:00:00","2024-01-22 19:56:02",[82],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08ded669-7e43-4da4-87e7-c7d75fa53d8b?source=api-prod",2740,[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":86,"total_installs":87,"avg_security_score":88,"avg_patch_time_days":89,"trust_score":90,"computed_at":91},8,4050740,79,1115,64,"2026-05-19T17:28:00.729Z",[93,115,130,152,173],{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":101,"downloaded":102,"rating":103,"num_ratings":104,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":18,"download_link":114,"security_score":13,"vuln_count":71,"unpatched_count":71,"last_vuln_date":39,"fetched_at":31},"mailersend-official-smtp-integration","MailerSend – Official SMTP Integration","1.0.5","MailerSend","https:\u002F\u002Fprofiles.wordpress.org\u002Fmailersend\u002F","\u003Cp>WordPress hosting companies are not optimized for high-volume email sending, which may result in some of your emails not getting delivered. MailerSend’s \u003Ca href=\"https:\u002F\u002Fwww.mailersend.com\u002Ffeatures\u002Fsmtp-relay\" rel=\"nofollow ugc\">dedicated SMTP server\u003C\u002Fa> will ensure that your forms, account notifications, e-commerce orders, and other transactional emails get delivered. By using this official SMTP plugin, you will:\u003Cbr \u002F>\n* Improve your email deliverability\u003Cbr \u002F>\n* Protect your domain reputation\u003Cbr \u002F>\n* Learn more about your recipients\u003C\u002Fp>\n\u003Ch4>Deliverability\u003C\u002Fh4>\n\u003Cp>Improve inbox performance and ensure a smooth customer experience by letting MailerSend take care of email sending. After a decade of email delivery experience, MailerSend’s deliverability experts understand what it takes to avoid spam filters, stay off blocklists and lower bounce rates.\u003C\u002Fp>\n\u003Ch4>Domain reputation\u003C\u002Fh4>\n\u003Cp>Keep your domain reputation safe with MailerSend’s email authentication practices. Give your customers the confidence that they’re interacting with an established brand, and let MailerSend manage the emails that could potentially damage your reputation.\u003C\u002Fp>\n\u003Ch4>Analytics\u003C\u002Fh4>\n\u003Cp>Understand what happens after an email gets sent. Access a wide range of key metrics—like open rates, bounce rates and click-through rates—to learn what works and what needs optimization so you can keep improving your email performance.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Avoid spam filters, prevent blocklisting, and lower hard bounce rates with powerful sending infrastructure\u003C\u002Fli>\n\u003Cli>Automate the customer experience by connecting to thousands of other apps with Zapier\u003C\u002Fli>\n\u003Cli>Get instant push updates with webhooks\u003C\u002Fli>\n\u003Cli>Receive customer replies sent to your domain with an inbound route feature\u003C\u002Fli>\n\u003Cli>Monitor all email interactions such as opens, clicks, open locations and devices. Plus, use your own subdomain and get a custom tracking link!\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How it works\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate the MailerSend plugin.\u003C\u002Fli>\n\u003Cli>Add your \u003Ca href=\"https:\u002F\u002Fapp.mailersend.com\u002Fdomains\" rel=\"nofollow ugc\">SMTP credentials\u003C\u002Fa> from MailerSend to establish the connection.\u003C\u002Fli>\n\u003Cli>Test your connection to make sure it’s working.\u003C\u002Fli>\n\u003Cli>And get sending!\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Support\u003C\u002Fh4>\n\u003Cp>Get help whenever you need it. \u003Ca href=\"https:\u002F\u002Fwww.mailersend.com\u002Fcontact-us\" rel=\"nofollow ugc\">Contact us\u003C\u002Fa> or drop a message via live chat in the app. MailerSend’s dedicated support team works 24\u002F7 because transactional emails never stop.\u003C\u002Fp>\n","Improve your deliverability and avoid the spam box with MailerSend’s SMTP server. Check your analytics to improve your emails for better conversion!",2000,21915,56,12,"2026-01-22T09:28:00.000Z","6.6.5","5.7","7.2.5",[110,111,112,113,24],"email","mailersend","phpmailer","smtp","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailersend-official-smtp-integration.1.0.5.zip",{"slug":116,"name":117,"version":6,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":71,"num_ratings":71,"last_updated":124,"tested_up_to":125,"requires_at_least":126,"requires_php":127,"tags":128,"homepage":18,"download_link":129,"security_score":13,"vuln_count":71,"unpatched_count":71,"last_vuln_date":39,"fetched_at":31},"ahasend-email-api","AhaSend Email API","ahasend","https:\u002F\u002Fprofiles.wordpress.org\u002Fahasend\u002F","\u003Cp>Most hosting providers aren\\’t equipped to handle high-volume email sending or guarantee fast, reliable delivery, leading to delayed emails and poor inbox placement.\u003Cbr \u002F>\nThe AhaSend WordPress plugin seamlessly connects your WordPress site with AhaSend’s \u003Ca href=\"https:\u002F\u002Fahasend.com\" rel=\"nofollow ugc\">reliable email delivery platform\u003C\u002Fa> via an HTTP API, improving email sending performance compared to sending with SMTP and bypassing issues such as blocked SMTP ports by hosting providers. Optimize your transactional emails with easy integration and advanced features designed for speed and enhanced inbox placement. With AhaSend, you benefit from real-time tracking, customizable data retention, and secure email handling to ensure efficient and accurate delivery. Perfect for e-commerce, membership sites, and more, AhaSend’s plugin provides robust, fast email solutions without the hassle.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin sends email content to the AhaSend API everytime WordPress needs to send an email, and AhaSend – as an Email Service Provider – delivers the email to the recipients.\u003Cbr \u002F>\nPlease review AhaSends \u003Ca href=\"https:\u002F\u002Fahasend.com\u002Fterms\" rel=\"nofollow ugc\">Terms of Use\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fahasend.com\u002Fprivacy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa> before using this plugin.\u003C\u002Fp>\n","Connect your WordPress site to AhaSend for reliable, fast transactional email delivery with easy SMTP integration and real-time tracking.",10,555,"2025-05-30T10:34:00.000Z","6.8.5","6.0","7.4",[110,111,112,113,24],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fahasend-email-api.1.3.zip",{"slug":131,"name":132,"version":133,"author":134,"author_profile":135,"description":136,"short_description":137,"active_installs":138,"downloaded":139,"rating":140,"num_ratings":141,"last_updated":142,"tested_up_to":143,"requires_at_least":144,"requires_php":145,"tags":146,"homepage":149,"download_link":150,"security_score":151,"vuln_count":71,"unpatched_count":71,"last_vuln_date":39,"fetched_at":31},"postmark-approved-wordpress-plugin","ActiveCampaign Postmark for WordPress","1.19.1","alexknowshtml","https:\u002F\u002Fprofiles.wordpress.org\u002Falexknowshtml\u002F","\u003Cp>If you’re still sending email with default SMTP, you’re blind to delivery problems! ActiveCampaign Postmark for WordPress enables sites of any size to deliver and track WordPress notification emails reliably, with minimal setup time and zero maintenance.\u003C\u002Fp>\n\u003Cp>If you don’t already have a Postmark account, you can get one in minutes, sign up at https:\u002F\u002Fpostmarkapp.com\u003C\u002Fp>\n\u003Cp>Check out our video on how to set up the Postmark for WordPress plugin \u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fwebinars\u002Fpostmark-wordpress\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Additional Resources\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fsupport\u002Farticle\u002F1138-postmark-for-wordpress-faq\" rel=\"nofollow ugc\">Postmark for WordPress FAQ\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fsupport\u002Farticle\u002F1129-can-i-use-the-postmark-for-wordpress-plugin-with-gravity-forms\" rel=\"nofollow ugc\">Can I use the Postmark for WordPress plugin with Gravity Forms?\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fsupport\u002Farticle\u002F1047-how-do-i-send-with-ninja-forms-and-postmark-for-wordpress\" rel=\"nofollow ugc\">How do I send with Ninja Forms and Postmark for WordPress?\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fsupport\u002Farticle\u002F1072-how-do-i-send-with-contact-form-7-and-postmark-for-wordpress\" rel=\"nofollow ugc\">How do I send with Contact Form 7 and Postmark for WordPress?\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpostmarkapp.com\u002Fsupport\u002Farticle\u002F1128-can-i-use-the-postmark-for-wordpress-plugin-with-divi-contact-forms\" rel=\"nofollow ugc\">Can I use the Postmark for WordPress plugin with Divi contact forms?\u003C\u002Fa>\u003C\u002Fp>\n","The officially-supported ActiveCampaign Postmark plugin for Wordpress.",50000,764782,94,30,"2024-11-18T20:01:00.000Z","6.7.5","5.3","7.0",[110,147,148,113,24],"notifications","postmark","https:\u002F\u002Fpostmarkapp.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpostmark-approved-wordpress-plugin.1.19.1.zip",92,{"slug":153,"name":154,"version":155,"author":156,"author_profile":157,"description":158,"short_description":159,"active_installs":160,"downloaded":161,"rating":13,"num_ratings":162,"last_updated":163,"tested_up_to":164,"requires_at_least":165,"requires_php":127,"tags":166,"homepage":169,"download_link":170,"security_score":171,"vuln_count":29,"unpatched_count":71,"last_vuln_date":172,"fetched_at":31},"smtp2go","SMTP2GO for WordPress – Email Made Easy","1.14.1","SMTP2GO","https:\u002F\u002Fprofiles.wordpress.org\u002Fsmtp2go\u002F","\u003Cp>SMTP2GO’s WordPress plugin replaces the default built in wp_mail() functionality (phpmailer) and sends your email via SMTP2GO’s API and industry leading email delivery platform.\u003C\u002Fp>\n\u003Cp>SMTP2GO provides valuable insights into every aspect of your email’s life cycle, enabling you to track delivery rates, opens, clicks, and bounce rates. Whether your email is transactional, marketing, newsletter, contact form, or notification – we have got you covered.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>The main benefits of using the official SMTP2GO plugin:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>We have made our plugin as easy and low maintenance as possible – you can set it up in under ten minutes.\u003C\u002Fli>\n\u003Cli>Take over from the default WordPress email system for more reliable delivery – you can be confident your emails have arrived at their destination inbox successfully.\u003C\u002Fli>\n\u003Cli>Get access to our intuitive real-time reporting tools. You can uncover what is going on behind the scenes with delivery, open rates, click rates, bounce, and unsubscription reports.\u003C\u002Fli>\n\u003Cli>We offer secure worldwide servers with intelligent routing for network redundancy and speedy delivery.\u003C\u002Fli>\n\u003Cli>We handle SPF and DKIM on your behalf. SMTP2GO can even turn your “http” links into “https”.\u003C\u002Fli>\n\u003Cli>Diagnose and resolve delivery issues with our insightful reporting page, or reach out to our award-winning support team who are available almost 24\u002F7 to help address problems in a timely, friendly fashion.\u003C\u002Fli>\n\u003Cli>We have a dedicated Review team who constantly monitor the reputations of our IP’s and we proactively alert members to any suspicious changes in their email regimen.\u003C\u002Fli>\n\u003Cli>Avoid poor reputation and throttling or limitations from over-used shared web hosts and other providers.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.smtp2go.com\u002F\" rel=\"nofollow ugc\">Sign up here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>If you have questions or need assistance then feel free to contact the support team by logging into your \u003Ca href=\"https:\u002F\u002Fapp.smtp2go.com\" rel=\"nofollow ugc\">SMTP2GO dashboard\u003C\u002Fa> and clicking the support icon on the top right navigation bar.\u003C\u002Fp>\n\u003Cp>More information on this plugin is available in our \u003Ca href=\"https:\u002F\u002Fsupport.smtp2go.com\u002Fhc\u002Fen-gb\u002Farticles\u002F900000195666-SMTP2GO-WordPress-Plugin\" rel=\"nofollow ugc\">knowledgebase\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>About SMTP2GO\u003C\u002Fh3>\n\u003Cp>Founded in 2006, SMTP2GO is a fast and scalable world class email service provider for sending transactional and marketing emails. It is developed and supported by a team of delivery experts at the forefront of the email industry, providing a reliable SMTP solution for over 35,000 businesses.\u003C\u002Fp>\n\u003Cp>Complexities such as reputation monitoring, SPF and DKIM are professionally managed for each customer. Native-English speaking support is available worldwide (agents in the USA, EU, UK, Australia, and New Zealand).\u003C\u002Fp>\n\u003Cp>Our data centers are located around the world, meaning lightning-fast connection speeds, network redundancy, and GDPR compliance.\u003C\u002Fp>\n","Resolve email delivery issues, increase inbox placement, track sent email, get 24\u002F7 support, and real-time reporting.",30000,339758,65,"2026-03-04T01:49:00.000Z","6.9.4","6.2",[167,110,168,113,24],"delivery","inbox","https:\u002F\u002Fgithub.com\u002Fthefold\u002Fsmtp2go-wordpress-plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmtp2go.1.14.1.zip",98,"2025-07-16 00:00:00",{"slug":174,"name":175,"version":176,"author":177,"author_profile":178,"description":179,"short_description":180,"active_installs":181,"downloaded":182,"rating":183,"num_ratings":184,"last_updated":185,"tested_up_to":164,"requires_at_least":186,"requires_php":187,"tags":188,"homepage":190,"download_link":191,"security_score":13,"vuln_count":71,"unpatched_count":71,"last_vuln_date":39,"fetched_at":31},"zoho-mail","Zoho Mail for WordPress","1.6.3","Zoho Mail","https:\u002F\u002Fprofiles.wordpress.org\u002Fzmintegration\u002F","\u003Ch4>Zoho Mail for WordPress\u003C\u002Fh4>\n\u003Cp>Zoho Mail Plugin helps you to configure your Zoho Mail account in your WordPress site, to send emails from your Site.\u003Cbr \u002F>\nIt is recommended to use authorized server for sending emails from websites, instead of using generic hosting servers. It is possible to misuse unauthorized and unauthenticated configuration and harm the reputation of your domain\u002F website when using generic servers.\u003Cbr \u002F>\nZoho Mail plugin can help to ensure that the emails are sent from your account using Zoho Mail API’s.\u003C\u002Fp>\n\u003Ch3>PRE-REQUISITES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>A Zoho Mail Account\u003C\u002Fli>\n\u003Cli>A self-hosted WordPress site\u003C\u002Fli>\n\u003Cli>PHP 5.6 or later\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>ADVANTAGES OF ZOHO MAIL PLUGIN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Zoho Mail plugin makes use of \u003Cstrong>OAuth 2.0\u003C\u002Fstrong> protocol to access Zoho Mail API. This ensures a highly secure authentication process where the Username or password is not stored so cannot be misused.\u003C\u002Fli>\n\u003Cli>Zoho Mail plugin has customized the \u003Cstrong>PHPMailer’s\u003C\u002Fstrong> code library, used in WordPress for sending email.\u003C\u002Fli>\n\u003Cli>By using \u003Cstrong>’wp_mail’\u003C\u002Fstrong> function of WordPress, Zoho Mail plugin handles the custom send mail action anywhere from the entire site, without having to change\u002F configure in every occurrence.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>ZOHO MAIL API FEATURES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Zoho Mail API is authenticated using OAuth 2.0 protocol.\u003C\u002Fli>\n\u003Cli>You can configure your Zoho Mail account in your website to send email using Zoho Mail API.\u003C\u002Fli>\n\u003Cli>The emails sent will be available in the corresponding Zoho Mail account’s Sent folder.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>ZOHO MAIL PLUGIN PARAMETERS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Where is your account hosted?\u003C\u002Fstrong> :The region where your Zoho Account data resides.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Client ID\u003C\u002Fstrong> :The Client ID of your Zoho Mail API.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Client Secret\u003C\u002Fstrong> : The Client secret of your API.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Authorized Redirect URI\u003C\u002Fstrong> : Authorized Redirect URL obtained from your website that is used to create Client ID.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>From Email Address\u003C\u002Fstrong> :The Email address that will be used to send all the outgoing emails from your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>From Name\u003C\u002Fstrong> :The Name that will be shown as the display name while sending all emails from your website.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>ZOHO MAIL PLUGIN TEST EMAIL\u003C\u002Fh3>\n\u003Cp>After configuration, you can test the plugin. Navigate to the Zoho Mail – Test Email page in your Website settings.\u003Cbr \u002F>\n– \u003Cstrong>To\u003C\u002Fstrong> : Email address of the recipient.\u003Cbr \u002F>\n– \u003Cstrong>Subject\u003C\u002Fstrong> : Subject of the email.\u003Cbr \u002F>\n– \u003Cstrong>Content\u003C\u002Fstrong> :The message or body of the email.\u003C\u002Fp>\n\u003Cp>For in detail instructions on how to set up Zoho Mail plugin, visit \u003Ca href=\"https:\u002F\u002Fwww.zoho.com\u002Fmail\u002Fhelp\u002Fzohomail-plugin-for-wordpress.html\" rel=\"nofollow ugc\">Zoho Mail plugin page\u003C\u002Fa> .\u003Cbr \u002F>\n\u003Cstrong>Note\u003C\u002Fstrong> :\u003Cbr \u002F>\nSending emails through Zoho Mail is subjective to our Usage Policy restrictions. Please refer to our Usage Policy details \u003Ca href=\"https:\u002F\u002Fwww.zoho.com\u002Fmail\u002Fhelp\u002Fusage-policy.html\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n","Zoho Mail Plugin lets you configure your Zoho Mail account on your WordPress site enabling you to send the email via Zoho Mail API.",20000,346786,76,41,"2026-03-24T04:40:00.000Z","4.8","5.6",[110,20,189,112,24],"mailer","http:\u002F\u002Fmail.zoho.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzoho-mail.1.6.3.zip",{"attackSurface":193,"codeSignals":230,"taintFlows":348,"riskAssessment":416,"analyzedAt":430},{"hooks":194,"ajaxHandlers":217,"restRoutes":224,"shortcodes":225,"cronEvents":229,"entryPointCount":28,"unprotectedCount":29},[195,201,205,208,213],{"type":196,"name":197,"callback":198,"file":199,"line":200},"action","admin_menu","wp_mail_system_menu","wp-mail.php",27,{"type":196,"name":202,"callback":203,"file":199,"line":204},"admin_enqueue_scripts","load_wp_mail_admin_things",28,{"type":196,"name":206,"callback":207,"file":199,"line":141},"admin_init","allow_subscriber_uploads",{"type":209,"name":210,"callback":211,"priority":122,"file":199,"line":212},"filter","plugin_action_links","wp_mail_system_action_links",34,{"type":196,"name":214,"callback":215,"file":199,"line":216},"wp_head","header_scripts",36,[218,221],{"action":24,"nopriv":50,"callback":219,"hasNonce":50,"hasCapCheck":50,"file":199,"line":220},"wp_mail_callback",31,{"action":24,"nopriv":222,"callback":219,"hasNonce":50,"hasCapCheck":50,"file":199,"line":223},true,32,[],[226],{"tag":24,"callback":227,"file":199,"line":228},"wp_mail_shortcode",35,[],{"dangerousFunctions":231,"sqlUsage":232,"outputEscaping":249,"fileOperations":71,"externalRequests":71,"nonceChecks":346,"capabilityChecks":71,"bundledLibraries":347},[],{"prepared":233,"raw":234,"locations":235},7,5,[236,239,241,244,246],{"file":199,"line":237,"context":238},325,"$wpdb->get_row() with variable interpolation",{"file":199,"line":240,"context":238},338,{"file":199,"line":242,"context":243},463,"$wpdb->get_results() with variable interpolation",{"file":199,"line":245,"context":243},468,{"file":199,"line":247,"context":248},559,"$wpdb->query() with variable interpolation",{"escaped":250,"rawEcho":251,"locations":252},20,53,[253,257,259,261,262,264,266,269,270,272,273,274,277,279,281,283,285,286,288,291,292,293,294,296,299,300,303,304,306,307,309,311,312,314,315,316,318,321,323,324,326,327,329,330,331,332,333,334,336,338,340,342,344],{"file":254,"line":255,"context":256},"inc\\compose_mail.php",55,"raw output",{"file":254,"line":258,"context":256},63,{"file":254,"line":260,"context":256},81,{"file":254,"line":171,"context":256},{"file":254,"line":263,"context":256},113,{"file":254,"line":265,"context":256},121,{"file":267,"line":268,"context":256},"inc\\draft_messages.php",50,{"file":267,"line":251,"context":256},{"file":267,"line":271,"context":256},54,{"file":267,"line":271,"context":256},{"file":267,"line":255,"context":256},{"file":275,"line":276,"context":256},"inc\\inbox.php",40,{"file":275,"line":278,"context":256},80,{"file":275,"line":280,"context":256},82,{"file":275,"line":282,"context":256},85,{"file":275,"line":284,"context":256},86,{"file":275,"line":284,"context":256},{"file":275,"line":287,"context":256},87,{"file":289,"line":290,"context":256},"inc\\sent_messages.php",78,{"file":289,"line":260,"context":256},{"file":289,"line":280,"context":256},{"file":289,"line":280,"context":256},{"file":289,"line":295,"context":256},83,{"file":297,"line":298,"context":256},"inc\\settings.php",49,{"file":297,"line":298,"context":256},{"file":301,"line":302,"context":256},"inc\\shortcode.php",33,{"file":301,"line":212,"context":256},{"file":305,"line":86,"context":256},"inc\\sidebar.php",{"file":305,"line":122,"context":256},{"file":305,"line":308,"context":256},11,{"file":310,"line":271,"context":256},"inc\\trashed_messages.php",{"file":310,"line":140,"context":256},{"file":310,"line":313,"context":256},97,{"file":310,"line":171,"context":256},{"file":310,"line":171,"context":256},{"file":310,"line":317,"context":256},99,{"file":319,"line":320,"context":256},"inc\\view_message.php",38,{"file":319,"line":322,"context":256},68,{"file":319,"line":322,"context":256},{"file":319,"line":325,"context":256},69,{"file":319,"line":325,"context":256},{"file":319,"line":328,"context":256},77,{"file":319,"line":278,"context":256},{"file":319,"line":280,"context":256},{"file":319,"line":280,"context":256},{"file":319,"line":295,"context":256},{"file":319,"line":171,"context":256},{"file":335,"line":86,"context":256},"inc\\wp_mail_shortcodes.php",{"file":199,"line":337,"context":256},508,{"file":199,"line":339,"context":256},518,{"file":199,"line":341,"context":256},520,{"file":199,"line":343,"context":256},612,{"file":199,"line":345,"context":256},621,6,[],[349,364,374,389,403],{"entryPoint":350,"graph":351,"unsanitizedCount":28,"severity":41},"mk_pagenavi (wp-mail.php:481)",{"nodes":352,"edges":362},[353,357],{"id":354,"type":355,"label":356,"file":199,"line":337},"n0","source","$_GET['page'] (x3)",{"id":358,"type":359,"label":360,"file":199,"line":337,"wp_function":361},"n1","sink","echo() [XSS]","echo",[363],{"from":354,"to":358,"sanitized":50},{"entryPoint":365,"graph":366,"unsanitizedCount":71,"severity":373},"\u003Ccompose_mail> (inc\\compose_mail.php:0)",{"nodes":367,"edges":371},[368,370],{"id":354,"type":355,"label":369,"file":254,"line":29},"$_GET (x3)",{"id":358,"type":359,"label":360,"file":254,"line":255,"wp_function":361},[372],{"from":354,"to":358,"sanitized":222},"low",{"entryPoint":375,"graph":376,"unsanitizedCount":308,"severity":373},"\u003Cview_message> (inc\\view_message.php:0)",{"nodes":377,"edges":386},[378,380,381,384],{"id":354,"type":355,"label":379,"file":319,"line":29},"$_GET (x10)",{"id":358,"type":359,"label":360,"file":319,"line":320,"wp_function":361},{"id":382,"type":355,"label":383,"file":319,"line":278},"n2","$_GET['mid']",{"id":385,"type":359,"label":360,"file":319,"line":278,"wp_function":361},"n3",[387,388],{"from":354,"to":358,"sanitized":50},{"from":382,"to":385,"sanitized":50},{"entryPoint":390,"graph":391,"unsanitizedCount":234,"severity":402},"getEmails (wp-mail.php:261)",{"nodes":392,"edges":400},[393,396],{"id":354,"type":355,"label":394,"file":199,"line":395},"$_GET (x5)",267,{"id":358,"type":359,"label":397,"file":199,"line":398,"wp_function":399},"get_results() [SQLi]",274,"get_results",[401],{"from":354,"to":358,"sanitized":50},"high",{"entryPoint":404,"graph":405,"unsanitizedCount":415,"severity":402},"\u003Cwp-mail> (wp-mail.php:0)",{"nodes":406,"edges":412},[407,409,410,411],{"id":354,"type":355,"label":408,"file":199,"line":395},"$_GET (x6)",{"id":358,"type":359,"label":397,"file":199,"line":398,"wp_function":399},{"id":382,"type":355,"label":356,"file":199,"line":337},{"id":385,"type":359,"label":360,"file":199,"line":337,"wp_function":361},[413,414],{"from":354,"to":358,"sanitized":50},{"from":382,"to":385,"sanitized":50},9,{"summary":417,"deductions":418},"The wp-mail plugin v1.3 exhibits a concerning security posture due to significant weaknesses in its attack surface and output handling, compounded by a history of vulnerabilities.  While the absence of dangerous functions and file operations is positive, the presence of unprotected AJAX handlers presents a direct entry point for potential attacks.  The high proportion of unsanitized paths identified in the taint analysis, coupled with a low rate of proper output escaping, strongly suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities.  Furthermore, the plugin has a history of three known CVEs, with two currently unpatched, and the common vulnerability type being XSS reinforces these concerns.  Although the use of prepared statements for SQL queries is a positive practice, it doesn't mitigate the other identified risks.",[419,421,424,426,428],{"reason":420,"points":122},"Unprotected AJAX handlers",{"reason":422,"points":423},"High percentage of unsanitized paths",15,{"reason":425,"points":86},"Low percentage of properly escaped output",{"reason":427,"points":250},"Two unpatched CVEs",{"reason":429,"points":122},"History of XSS vulnerabilities","2026-03-16T19:28:10.119Z",{"wat":432,"direct":438},{"assetPaths":433,"generatorPatterns":435,"scriptPaths":436,"versionParams":437},[434],"\u002Fwp-content\u002Fplugins\u002Fwp-mail\u002Finc\u002Fimg\u002Ficon.png",[],[],[],{"cssClasses":439,"htmlComments":440,"htmlAttributes":441,"restEndpoints":442,"jsGlobals":443,"shortcodeOutput":444},[],[],[],[],[],[445],"[wp_mail]",{"error":222,"url":447,"statusCode":448,"statusMessage":449,"message":449},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-mail\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":71,"versions":451},[]]