Email delivery is business critical, but email sending plugins also sit on a sensitive boundary where they handle SMTP credentials, API keys, admin side settings, and in some cases email logs that can contain personal data. GoSMTP version 1.1.8 has successfully completed the CleanTalk Plugin Security Certification program and received PSC-2026-64610, confirming that the plugin was assessed with a strong focus on secure coding practices and common real world WordPress attack paths.
| Name of | GoSMTP – SMTP for WordPress |
| Version | 1.1.8 |
| Downloads | 300 000+ |
| Description | GoSMTP allows you to send emails from your WordPress over SMTP or many of the popular email sending services. Many web hosting companies have strict mail sending rules and limitations which restrict email deliverability. With GoSMTP, you will not be using your hosting providers PHP email but rather sending emails over SMTP or using API’s of various email providers. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Users can confidently manage age restrictions with the assurance of the “Plugin Security Certification” (PSC). Verify the latest details on the plugin developer’s website. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
GoSMTP replaces default PHP mail sending with SMTP and supported email delivery services to improve deliverability and reduce reliance on hosting IP reputation. The plugin supports popular providers and custom SMTP setups, and its mailer API connectors are derived from Fluent SMTP, which helps keep integrations consistent and maintainable. In the Pro edition, functionality expands into operational controls like email logs, resending, delivery failure notifications, and reporting features that are useful for troubleshooting and audit trails when implemented with proper access controls.
Security Assurance
The CleanTalk Plugin Security Certification review focuses on how a plugin behaves under adversarial conditions inside a typical WordPress environment, including admin panel hardening, request validation, and data protection of sensitive configuration. For a mail sending plugin, the security bar is especially high because missteps can expose credentials, leak message contents, or create abuse vectors that let an attacker send spam through a site. The assessment checks that administrative actions are protected with capability checks and request validation, that user controlled input does not reach dangerous sinks, that output is handled safely, and that sensitive settings are not unintentionally exposed through debug paths, logs, or weak access boundaries.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64610, GoSMTP 1.1.8 demonstrates strong baseline resilience against common WordPress exploitation techniques that typically target settings pages, action handlers, and stored configuration. This certification helps reduce deployment risk for site owners who need reliable email delivery without trading off security, while still keeping the standard recommendation in place to run least privilege admin practices, restrict access to the WordPress dashboard, and keep WordPress core, themes, and plugins updated.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.