WP-Safety

Mailing Group Listserv Security & Risk Analysis

wordpress.org/plugins/wp-mailing-group

Creates a Mailing Group on your site to which users can subscribe, messages sent to the group's email address will be forwarded to all members.

100 active installs v3.0.5 PHP + WP 3.0+ Updated Apr 25, 2025
email-discussionlistservlistservemailing-groupmailing-list
74
B · Generally Safe
CVEs total4
Unpatched1
Last CVEJun 19, 2025
Plugin page Download
Safety Verdict

Is Mailing Group Listserv Safe to Use in 2026?

Mostly Safe

Score 74/100

Mailing Group Listserv is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: Jun 19, 2025Updated 11mo ago
Risk Assessment

The wp-mailing-group plugin v3.0.5 presents a concerning security posture due to a significant number of unprotected AJAX handlers. With 7 out of 7 AJAX handlers lacking authentication checks, this creates a wide attack surface for unauthorized actions. Furthermore, the presence of 5 high-severity taint flows indicates potential for serious vulnerabilities if user input is not properly handled before being used in sensitive operations. The plugin's vulnerability history, with 4 known CVEs and one still unpatched, including common issues like SQL injection and XSS, suggests a pattern of security weaknesses that have not been fully addressed. While the plugin demonstrates good practices in using prepared statements for SQL queries and performing proper output escaping, these strengths are overshadowed by the critical lack of authentication on AJAX endpoints and the ongoing unpatched vulnerability.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Unpatched CVEs
  • Bundled outdated PHPMailer
  • Dangerous unserialize function used
Vulnerabilities
4

Mailing Group Listserv Security Vulnerabilities

CVEs by Year

4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-50036medium · 4.3Cross-Site Request Forgery (CSRF)

Mailing Group Listserv <= 3.0.5 - Cross-Site Request Forgery

Jun 19, 2025Unpatched
CVE-2025-46463medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Mailing Group Listserv <= 3.0.4 - Authenticated (Subscriber+) SQL Injection

Apr 25, 2025 Patched in 3.0.5 (6d)
CVE-2025-22527medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Mailing Group Listserv <= 2.0.9 - Authenticated (Administrator+) SQL Injection

Jan 7, 2025 Patched in 3.0.0 (94d)
CVE-2025-22595medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mailing Group Listserv <= 2.0.9 - Reflected Cross-Site Scripting

Jan 7, 2025 Patched in 3.0.0 (94d)
Code Analysis
Analyzed Mar 16, 2026

Mailing Group Listserv Code Analysis

Dangerous Functions
10
Raw SQL Queries
13
38 prepared
Unescaped Output
19
608 escaped
Nonce Checks
2
Capability Checks
2
File Operations
2
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize$files = unserialize($value->file_name);crons\wpmg_cron_attachments.php:53
unserialize$files = unserialize($value->file_name);crons\wpmg_cron_attachments.php:71
unserialize$arrayString = unserialize($gropArray);mailing-group-module.php:1274
unserialize$group_arr_old = unserialize(get_user_meta($userid, "Group_subscribed", true));mailing-group-module.php:1289
unserialize$unSeriGroup = unserialize($group_subscribed);template\mg_importuser.php:257
unserialize$group_name_new = unserialize($usergroupnames);template\mg_mailingrequest.php:135
unserialize$group_name_new = unserialize($usergroupnames);template\mg_mailingrequest.php:329
unserialize$group_arr_old = unserialize(get_user_meta($recid, "Group_subscribed", true));template\mg_memberadd.php:81
unserialize$group_name = unserialize(get_user_meta($id, "Group_subscribed", true));template\mg_membergroups.php:31
unserialize$group_arr_old = unserialize(get_user_meta($recid, "Group_subscribed", true));template\mg_membergroups.php:41

Bundled Libraries

DataTablesPHPMailer5.1

SQL Query Safety

75% prepared51 total queries

Output Escaping

97% escaped627 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

16 flows6 with unsanitized paths
<mailing-group-module> (mailing-group-module.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Mailing Group Listserv Attack Surface

Entry Points8
Unprotected7

AJAX Handlers 7

authwp_ajax_wpmg_addeditmailinggroupmailing-group-module.php:664
authwp_ajax_wpmg_addmailgroupsettingmailing-group-module.php:665
authwp_ajax_wpmg_mailinggrouplistingmailing-group-module.php:666
authwp_ajax_wpmg_sendmessagemailing-group-module.php:667
authwp_ajax_wpmg_checkusernamemailing-group-module.php:668
authwp_ajax_wpmg_viewmessagemailing-group-module.php:669
authwp_ajax_wpmg_imap_email_connmailing-group-module.php:670

Shortcodes 1

[mailing_group_form] mailing-group-module.php:1253
WordPress Hooks 21
filtercron_schedulesmailing-group-module.php:93
actioninitmailing-group-module.php:392
actionwp_logoutmailing-group-module.php:393
actionwp_loginmailing-group-module.php:394
actionadmin_menumailing-group-module.php:443
actioninitmailing-group-module.php:449
actionwp_enqueue_scriptmailing-group-module.php:520
filterwp_mail_content_typemailing-group-module.php:801
filterwp_mail_content_typemailing-group-module.php:870
filterwp_mail_content_typemailing-group-module.php:1052
filterwp_mail_content_typemailing-group-module.php:1138
filtertemplate_includemailing-group-module.php:1254
filterauthenticatemailing-group-module.php:1301
actiondelete_usermailing-group-module.php:1349
actionadmin_menumailing-group-module.php:1399
actionadmin_headmailing-group-module.php:1432
filterauthenticatemailing-group-module.php:1433
actionwpmg_cron_task_send_emailmailing-group-module.php:1464
actionwpmg_cron_task_parse_emailmailing-group-module.php:1467
actionwpmg_cron_task_bounced_emailmailing-group-module.php:1470
actionwpmg_cron_auto_delete_attachmentsmailing-group-module.php:1473

Scheduled Events 4

wpmg_cron_task_send_email
wpmg_cron_task_parse_email
wpmg_cron_task_bounced_email
wpmg_cron_auto_delete_attachments
Maintenance & Trust

Mailing Group Listserv Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 25, 2025
PHP min version
Downloads22K

Community Trust

Rating80/100
Number of ratings25
Active installs100
Alternatives

Mailing Group Listserv Alternatives

WP Mailster

WP Mailster

wp-mailster

A
94

WP Mailster allows your users to be part of a group and communicate by email without having to log into a website.

400 13 CVEs
Participants Database

Participants Database

participants-database

A
87

Build and maintain a fully customizable database of participants, members or anything with signup forms, admin backend, custom lists, and CSV support.

7K 9 CVEs
Newsletters

Newsletters

newsletters-lite

B
76

Newsletter plugin for WordPress to capture subscribers and send beautiful, bulk newsletter emails.

2K 26 CVEs
Benchmark Email Lite

Benchmark Email Lite

benchmark-email-lite

A
99

Your Wordpress Site and Email Marketing all in one place!

1K 1 CVE
Contact Form 7 GetResponse Extension

Contact Form 7 GetResponse Extension

contact-form-7-getresponse-extension

C
63

A very easy plugin to integrate GetResponse campaigns with Contact Form 7.

1K 1 unpatched
Developer Profile

Mailing Group Listserv Developer Profile

Yamna Khawaja

1 plugin · 100 total installs

70
trust score
Avg Security Score
74/100
Avg Patch Time
65 days
View full developer profile
Detection Fingerprints

How We Detect Mailing Group Listserv

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Mailing Group Listserv