WP-Safety

WP Offload SES Lite Security & Risk Analysis

wordpress.org/plugins/wp-ses

Fix your email delivery problems by sending your WordPress emails through Amazon SES's powerful email sending infrastructure.

10K active installs v1.7.2 PHP 7.4+ WP 5.3+ Updated Dec 4, 2025
amazon-sesemail-deliverygmail-smtpnewslettersmtp
100
A · Safe
CVEs total1
Unpatched0
Last CVEJun 29, 2021
Plugin page Download
Safety Verdict

Is WP Offload SES Lite Safe to Use in 2026?

Generally Safe

Score 100/100

WP Offload SES Lite has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 29, 2021Updated 4mo ago
Risk Assessment

The wp-ses v1.7.2 plugin presents a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and a significant number of nonce and capability checks, there are notable areas of concern. The substantial attack surface, with 10 out of 15 entry points lacking authentication or permission checks, is a significant risk. This is further exacerbated by the presence of unsanitized paths identified in the taint analysis, which could lead to vulnerabilities if not properly handled. The plugin also utilizes the `unserialize()` function, a known security risk if used with untrusted input. The vulnerability history indicates a single medium-severity Cross-Site Scripting (XSS) vulnerability was patched in 2021. While there are no currently unpatched CVEs and the last vulnerability was some time ago, the pattern of XSS and the identified code-level risks suggest ongoing vigilance is required. The use of bundled libraries like Guzzle should also be monitored for potential outdated vulnerabilities, though no specific issues are highlighted in the provided data.

Key Concerns

  • Large attack surface without auth checks
  • REST API routes without permission callbacks
  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Dangerous function: unserialize
  • Output escaping: 47% properly escaped
  • Medium severity vulnerability history
Vulnerabilities
1

WP Offload SES Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2021-24494medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Offload SES Lite <= 1.4.4 - Stored Cross-Site Scripting

Jun 29, 2021 Patched in 1.4.5 (938d)
Code Analysis
Analyzed Mar 16, 2026

WP Offload SES Lite Code Analysis

Dangerous Functions
1
Raw SQL Queries
3
56 prepared
Unescaped Output
124
108 escaped
Nonce Checks
11
Capability Checks
4
File Operations
3
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserializereturn @unserialize( $data, array( 'allowed_classes' => false ) ); // @phpcs:ignoreclasses\Utils.php:335

Bundled Libraries

Guzzle

SQL Query Safety

95% prepared59 total queries

Output Escaping

47% escaped232 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths
trigger_queue (classes\WP-Offload-SES.php:1533)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

WP Offload SES Lite Attack Surface

Entry Points15
Unprotected10

AJAX Handlers 13

authwp_ajax_wposes-dismiss-noticeclasses\Notices.php:63
authwp_ajax_wposes_trigger_queueclasses\Queue\Email-Queue.php:61
noprivwp_ajax_wposes_trigger_queueclasses\Queue\Email-Queue.php:62
authwp_ajax_wposes_activity_tableclasses\WP-Offload-SES.php:177
authwp_ajax_wposes-get-diagnostic-infoclasses\WP-Offload-SES.php:178
authwp_ajax_wposes-aws-keys-setclasses\WP-Offload-SES.php:179
authwp_ajax_wposes-aws-keys-removeclasses\WP-Offload-SES.php:180
authwp_ajax_wposes_get_verified_senders_listclasses\WP-Offload-SES.php:181
authwp_ajax_wposes-verify-senderclasses\WP-Offload-SES.php:182
authwp_ajax_wposes_delete_senderclasses\WP-Offload-SES.php:183
authwp_ajax_wposes-ajax-save-settingsclasses\WP-Offload-SES.php:184
authwp_ajax_wposes-send-test-emailclasses\WP-Offload-SES.php:185
authwp_ajax_wposes-purge-logsclasses\WP-Offload-SES.php:186

REST API Routes 2

GET/wp-json/wp-offload-ses/v1/c/(?P<data>\S+)classes\Email-Events.php:77
GET/wp-json/wp-offload-ses/v1/o/(?P<data>\S+)classes\Email-Events.php:87
WordPress Hooks 33
actionadmin_noticesclasses\Compatibility-Check.php:77
actionnetwork_admin_noticesclasses\Compatibility-Check.php:78
actionrest_api_initclasses\Email-Events.php:70
actiondeliciousbrains_wp_offload_ses_log_cleanupclasses\Email-Log.php:69
actionadmin_noticesclasses\Notices.php:59
actionnetwork_admin_noticesclasses\Notices.php:60
actionwposes_pre_tab_renderclasses\Notices.php:61
actionadmin_enqueue_scriptsclasses\Notices.php:62
filteradmin_footer_textclasses\Plugin-Base.php:392
filterupdate_footerclasses\Plugin-Base.php:393
filtercron_schedulesclasses\Queue\Email-Cron.php:40
actionwp_loadedclasses\Queue\Queue-Status.php:40
filtercomment_notification_textclasses\WP-Notifications.php:35
filtercomment_notification_headersclasses\WP-Notifications.php:36
filtercomment_moderation_textclasses\WP-Notifications.php:37
filtercomment_moderation_headersclasses\WP-Notifications.php:38
filterwp_password_change_notification_emailclasses\WP-Notifications.php:41
filterretrieve_password_messageclasses\WP-Notifications.php:42
actionlostpassword_postclasses\WP-Notifications.php:48
filterwp_new_user_notification_email_adminclasses\WP-Notifications.php:51
filterwp_new_user_notification_emailclasses\WP-Notifications.php:52
filterwp_mail_content_typeclasses\WP-Notifications.php:59
actionadmin_initclasses\WP-Offload-SES.php:165
actionadmin_menuclasses\WP-Offload-SES.php:166
actionnetwork_admin_menuclasses\WP-Offload-SES.php:167
filterplugin_action_linksclasses\WP-Offload-SES.php:168
filternetwork_admin_plugin_action_linksclasses\WP-Offload-SES.php:169
actionpre_current_active_pluginsclasses\WP-Offload-SES.php:170
actionwposes_plugin_loadclasses\WP-Offload-SES.php:171
actionwposes_mail_sentclasses\WP-Offload-SES.php:174
actionnetwork_admin_noticesclasses\WP-Offload-SES.php:396
actionactivated_pluginwp-ses.php:60
actioninitwp-ses.php:104

Scheduled Events 1

deliciousbrains_wp_offload_ses_log_cleanup
Maintenance & Trust

WP Offload SES Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version7.4
Downloads745K

Community Trust

Rating86/100
Number of ratings36
Active installs10K
Alternatives

WP Offload SES Lite Alternatives

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

fluent-smtp

A
93

The Ultimate Forever Free Mail SMTP Plugin for WordPress. Connect with any SMTP, SendGrid, Mailgun, Amazon SES, Brevo, Postmark, Sparkpost, Google...

500K 5 CVEs
GoSMTP – SMTP for WordPress

GoSMTP – SMTP for WordPress

gosmtp

A
100

Send emails from your WordPress site using your preferred SMTP provider like Gmail, Outlook, AWS, Zoho, SMTP.com, Brevo (formerly Sendinblue), Mailgun &hellip;

500K No CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs
SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

suremails

A
97

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

200K 1 CVE
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

yaysmtp

A
90

Send WordPress emails successfully with WP Mail SMTP via your favorite mailer

10K 8 CVEs
Developer Profile

WP Offload SES Lite Developer Profile

WP Engine

16 plugins · 3.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
1006 days
View full developer profile
Detection Fingerprints

How We Detect WP Offload SES Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-ses/assets/css/settings.css/wp-content/plugins/wp-ses/assets/css/admin.css/wp-content/plugins/wp-ses/assets/js/settings.js/wp-content/plugins/wp-ses/assets/js/admin.js
Script Paths
/wp-content/plugins/wp-ses/assets/js/settings.js/wp-content/plugins/wp-ses/assets/js/admin.js
Version Parameters
wp-ses/assets/css/settings.css?ver=wp-ses/assets/css/admin.css?ver=wp-ses/assets/js/settings.js?ver=wp-ses/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wposes-settingswposes-wrap
HTML Comments
Copyright (c) 2018 Delicious Brains. All rights reserved.Released under the GPL licensehttp://www.opensource.org/licenses/gpl-license.phpThis program is distributed in the hope that it will be useful, but+2 more
Data Attributes
data-settings-iddata-save-buttondata-tab-content
JS Globals
window.wpSesSettings
REST Endpoints
/wp-json/wp-offload-ses/v1/
FAQ

Frequently Asked Questions about WP Offload SES Lite