WP-Safety

WPO365 | MICROSOFT 365 GRAPH MAILER Security & Risk Analysis

wordpress.org/plugins/wpo365-msgraphmailer

Send WordPress emails from a M365 / Exchange Online Mailbox using Microsoft Graph, leveraging OAuth for authentication which is more secure than SMTP

10K active installs v4.2 PHP 7.4+ WP 5.0+ Updated Dec 7, 2025
emailmicrosoftphpmailersmtpwp_mail
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 23, 2025
Plugin page Download
Safety Verdict

Is WPO365 | MICROSOFT 365 GRAPH MAILER Safe to Use in 2026?

Generally Safe

Score 99/100

WPO365 | MICROSOFT 365 GRAPH MAILER has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 23, 2025Updated 3mo ago
Risk Assessment

The wpo365-msgraphmailer v4.2 plugin exhibits a mixed security posture. On one hand, it demonstrates good practices such as a high percentage of properly escaped output and a significant portion of SQL queries using prepared statements. The absence of critical or high severity taint flows is also a positive sign. However, a substantial concern arises from the large attack surface exposed through its 20 unprotected AJAX handlers. This means that numerous functions within the plugin can be triggered by unauthenticated users, posing a significant risk of unauthorized actions or information disclosure.

The vulnerability history reveals a single medium severity CVE related to Open Redirect, which has been patched. While the lack of currently unpatched vulnerabilities is encouraging, the presence of an 'Open Redirect' vulnerability in the past suggests a potential weakness in how external URLs are handled. The taint analysis shows two flows with unsanitized paths, although they are not flagged as critical or high severity, they warrant attention for potential path traversal or file manipulation vulnerabilities.

In conclusion, the plugin has strengths in output sanitization and SQL handling. The main weakness lies in the extensive unprotected AJAX endpoints, creating a large attack surface for unauthenticated users. The past vulnerability also highlights a specific area for continued vigilance. Addressing the unprotected AJAX handlers should be a priority to improve the overall security of the plugin.

Key Concerns

  • Unprotected AJAX handlers present large attack surface
  • Taint flows with unsanitized paths detected
  • Medium severity CVE detected in vulnerability history
Vulnerabilities
1

WPO365 | MICROSOFT 365 GRAPH MAILER Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-1488medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

WPO365 | MICROSOFT 365 GRAPH MAILER <= 3.2 - Open Redirect via 'redirect_to' Parameter

Feb 23, 2025 Patched in 3.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

WPO365 | MICROSOFT 365 GRAPH MAILER Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
9 prepared
Unescaped Output
5
109 escaped
Nonce Checks
5
Capability Checks
3
File Operations
1
External Requests
17
Bundled Libraries
0

SQL Query Safety

60% prepared15 total queries

Output Escaping

96% escaped114 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

9 flows2 with unsanitized paths
license_page (Pages\License_Page.php:343)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

WPO365 | MICROSOFT 365 GRAPH MAILER Attack Surface

Entry Points26
Unprotected20

AJAX Handlers 20

authwp_ajax_wpo365_delete_settingswpo365-msgraphmailer.php:94
authwp_ajax_wpo365_delete_tokenswpo365-msgraphmailer.php:95
authwp_ajax_wpo365_get_settingswpo365-msgraphmailer.php:96
authwp_ajax_wpo365_update_settingswpo365-msgraphmailer.php:97
authwp_ajax_wpo365_get_logwpo365-msgraphmailer.php:98
authwp_ajax_wpo365_dismiss_wpo_health_messageswpo365-msgraphmailer.php:99
authwp_ajax_wpo365_get_wpo_health_messageswpo365-msgraphmailer.php:100
authwp_ajax_wpo365_get_parseable_optionswpo365-msgraphmailer.php:101
authwp_ajax_wpo365_get_insights_summarywpo365-msgraphmailer.php:102
authwp_ajax_wpo365_get_insightswpo365-msgraphmailer.php:103
authwp_ajax_wpo365_truncate_insights_datawpo365-msgraphmailer.php:104
authwp_ajax_wpo365_send_test_alertwpo365-msgraphmailer.php:105
authwp_ajax_wpo365_send_test_mailwpo365-msgraphmailer.php:108
authwp_ajax_wpo365_get_mail_authorization_urlwpo365-msgraphmailer.php:109
authwp_ajax_wpo365_get_mail_auth_configurationwpo365-msgraphmailer.php:110
authwp_ajax_wpo365_try_migrate_mail_app_principal_infowpo365-msgraphmailer.php:111
authwp_ajax_wpo365_get_mail_logwpo365-msgraphmailer.php:116
authwp_ajax_wpo365_send_mail_againwpo365-msgraphmailer.php:117
authwp_ajax_wpo365_truncate_mail_logwpo365-msgraphmailer.php:118
authwp_ajax_wpo365_mail_auto_retrywpo365-msgraphmailer.php:121

Shortcodes 6

[pintra] Core\Shortcode_Helpers.php:30
[wpo365-sign-in-with-microsoft-v2-sc] Core\Shortcode_Helpers.php:99
[wpo365-login-button] Core\Shortcode_Helpers.php:153
[wpo365-display-error-message-sc] Core\Shortcode_Helpers.php:242
[wpo365-redirect-script] Core\Shortcode_Helpers.php:281
[wpo365-sso-button] Core\Shortcode_Helpers.php:310
WordPress Hooks 59
filterdoing_it_wrong_trigger_errorCore\Cron_Helpers.php:21
actionuser_profile_update_errorsCore\Permissions_Helpers.php:118
actionadmin_noticesCore\Plugin_Helpers.php:132
actionnetwork_admin_noticesCore\Plugin_Helpers.php:140
filterallowed_redirect_hostsCore\Url_Helpers.php:409
filterphpmailer_initMail\Mailer.php:441
filterwp_mail_fromMail\Mailer.php:483
actionadmin_menuPages\License_Page.php:48
actionnetwork_admin_menuPages\License_Page.php:49
actionadmin_initPages\License_Page.php:54
actionadmin_initPages\License_Page.php:59
actionadmin_noticesPages\License_Page.php:64
actionnetwork_admin_noticesPages\License_Page.php:65
actioninitServices\Router_Service.php:28
actioninitServices\Router_Service.php:44
actioninitServices\Router_Service.php:51
actioninitServices\Router_Service.php:55
actioninitServices\Router_Service.php:76
actioninitServices\Router_Service.php:80
actioninitServices\Router_Service.php:92
actioninitServices\Router_Service.php:97
actioninitServices\Router_Service.php:101
actioninitServices\Router_Service.php:126
actionplugins_loadedwpo365-msgraphmailer.php:37
filtercron_scheduleswpo365-msgraphmailer.php:38
actionadmin_noticeswpo365-msgraphmailer.php:47
filterpre_set_site_transient_update_pluginswpo365-msgraphmailer.php:77
actionadmin_menuwpo365-msgraphmailer.php:83
actionnetwork_admin_menuwpo365-msgraphmailer.php:84
actionadmin_noticeswpo365-msgraphmailer.php:89
actionnetwork_admin_noticeswpo365-msgraphmailer.php:90
actionadmin_initwpo365-msgraphmailer.php:91
actionadmin_post_wpo365_force_check_for_plugin_updateswpo365-msgraphmailer.php:138
filterplugin_row_metawpo365-msgraphmailer.php:139
filterplugins_apiwpo365-msgraphmailer.php:140
actionwp_dashboard_setupwpo365-msgraphmailer.php:143
actionwpo365/insights/notifywpo365-msgraphmailer.php:147
actionwpo365_insights_check_failed_notificationswpo365-msgraphmailer.php:157
actionwpo_check_password_credentials_expirationwpo365-msgraphmailer.php:167
actionshutdownwpo365-msgraphmailer.php:170
actionadmin_enqueue_scriptswpo365-msgraphmailer.php:172
actionphpmailer_initwpo365-msgraphmailer.php:176
filterwp_mail_fromwpo365-msgraphmailer.php:177
filterwp_mailwpo365-msgraphmailer.php:181
filterwpo365/mail/beforewpo365-msgraphmailer.php:185
actionwpo_process_unsent_messageswpo365-msgraphmailer.php:189
actionadmin_initwpo365-msgraphmailer.php:190
filtersafe_style_csswpo365-msgraphmailer.php:199
actionadmin_bar_menuwpo365-msgraphmailer.php:203
actionwp_enqueue_scriptswpo365-msgraphmailer.php:204
actionadmin_enqueue_scriptswpo365-msgraphmailer.php:205
actionactivated_pluginwpo365-msgraphmailer.php:209
actiondeactivated_pluginwpo365-msgraphmailer.php:210
actionupgrader_process_completewpo365-msgraphmailer.php:213
actionwpo365/mail/sentwpo365-msgraphmailer.php:217
actionwpo365/mail/sent/failwpo365-msgraphmailer.php:218
actionwpo365/alert/submittedwpo365-msgraphmailer.php:219
actionwpo365/alert/submitted/failwpo365-msgraphmailer.php:220
actionhttp_api_curlwpo365-msgraphmailer.php:225

Scheduled Events 1

wpo_check_password_credentials_expiration
Maintenance & Trust

WPO365 | MICROSOFT 365 GRAPH MAILER Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 7, 2025
PHP min version7.4
Downloads181K

Community Trust

Rating98/100
Number of ratings37
Active installs10K
Alternatives

WPO365 | MICROSOFT 365 GRAPH MAILER Alternatives

MailerSend – Official SMTP Integration

MailerSend – Official SMTP Integration

mailersend-official-smtp-integration

A
100

Improve your deliverability and avoid the spam box with MailerSend’s SMTP server. Check your analytics to improve your emails for better conversion!

2K No CVEs
SMTP.com

SMTP.com

smtpcom

A
100

SMTP.com is a powerful and reliable SMTP delivery service that enables you to send and track high volume emails effortlessly.

90 No CVEs
Simple SMTP Mailer

Simple SMTP Mailer

simple-smtp-mailer

A
100

Simplifies local development by configuring WordPress to use SMTP instead of the PHP mail() function

20 No CVEs
AhaSend Email API

AhaSend Email API

ahasend-email-api

A
100

Connect your WordPress site to AhaSend for reliable, fast transactional email delivery with easy SMTP integration and real-time tracking.

10 No CVEs
{eac}Doojigger Simple SMTP Extension for WordPress

{eac}Doojigger Simple SMTP Extension for WordPress

eacsimplesmtp

A
100

Send email using an SMTP email sever. Configure WordPress wp_mail, and phpmailer, to use your SMTP (outgoing) mail server when sending email.

10 No CVEs
Developer Profile

WPO365 | MICROSOFT 365 GRAPH MAILER Developer Profile

Marco van Wieren

4 plugins · 22K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
385 days
View full developer profile
Detection Fingerprints

How We Detect WPO365 | MICROSOFT 365 GRAPH MAILER

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpo365-msgraphmailer/css/admin-styles.css/wp-content/plugins/wpo365-msgraphmailer/css/admin-wizard.css/wp-content/plugins/wpo365-msgraphmailer/css/insights-dashboard.css/wp-content/plugins/wpo365-msgraphmailer/css/insights-notices.css/wp-content/plugins/wpo365-msgraphmailer/js/admin-wizard.js/wp-content/plugins/wpo365-msgraphmailer/js/insights-dashboard.js/wp-content/plugins/wpo365-msgraphmailer/js/insights-notices.js/wp-content/plugins/wpo365-msgraphmailer/js/wpo365-tools.js
Script Paths
/wp-content/plugins/wpo365-msgraphmailer/js/admin-wizard.js/wp-content/plugins/wpo365-msgraphmailer/js/insights-dashboard.js/wp-content/plugins/wpo365-msgraphmailer/js/insights-notices.js/wp-content/plugins/wpo365-msgraphmailer/js/wpo365-tools.js
Version Parameters
wpo365-msgraphmailer/css/admin-styles.css?ver=wpo365-msgraphmailer/css/admin-wizard.css?ver=wpo365-msgraphmailer/css/insights-dashboard.css?ver=wpo365-msgraphmailer/css/insights-notices.css?ver=wpo365-msgraphmailer/js/admin-wizard.js?ver=wpo365-msgraphmailer/js/insights-dashboard.js?ver=wpo365-msgraphmailer/js/insights-notices.js?ver=wpo365-msgraphmailer/js/wpo365-tools.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpo365-welcomewpo365-wizard-stepwpo365-input-groupwpo365-validation-messagewpo365-insights-widgetwpo365-health-messagewpo365-admin-noticewpo365-mail-log-table+2 more
HTML Comments
<!-- WPO365 | MICROSOFT 365 GRAPH MAILER --><!-- End WPO365 | MICROSOFT 365 GRAPH MAILER --><!-- BEGIN WPO365 | MS GRAPH MAILEREND WPO365 | MS GRAPH MAILER -->
Data Attributes
data-wpo365-dialogdata-wpo365-dismissibledata-wpo365-toggledata-wpo365-validation-field
JS Globals
WPO365_Toolswpo365_admin_wizard_varswpo365_insights_dashboard_varswpo365_insights_notices_vars
REST Endpoints
/wp-json/wpo365/v1/settings/wp-json/wpo365/v1/mail_log/wp-json/wpo365/v1/insights
FAQ

Frequently Asked Questions about WPO365 | MICROSOFT 365 GRAPH MAILER