SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for mail delivery and email logging plugins.
| Name of | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider |
| Version | 2.2.95 |
| Active installations | 600,000+ |
| Description | Fluent SMTP plugin fixes your email delivery issue by connecting WordPress Mail with your email service providers. These integrations are native, so it will send the emails superfast. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Use FluentSMTP with confidence backed by the “Plugin Security Certification” (PSC). Always verify the latest plugin details and keep WordPress core and dependent components up to date. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
FluentSMTP connects WordPress mail delivery to SMTP and native email service providers such as Amazon SES, Gmail, Google Workspace, Outlook, SendGrid, Mailgun, Brevo, Postmark, SparkPost, SMTP2GO, Elastic Email, Zoho, and generic SMTP providers. The plugin supports multiple email connections, routing based on sender configuration, fallback connections, email logging, resend workflows, reporting, failure notifications, and options for storing credentials outside the database through wp-config.php. These capabilities matter for security because the plugin handles mail credentials, API tokens, message metadata, email bodies, provider callbacks, and administrator-controlled delivery rules. A secure implementation must protect secrets at rest, restrict log access, validate capability boundaries around resending, and prevent unauthorized users from modifying outbound mail routes.
Security Assurance
The CleanTalk Plugin Security Certification evaluation focuses on defensive coding for plugins that handle email delivery, logs, and third-party provider credentials. For SMTP plugins, the common abuse patterns include disclosing SMTP passwords or API keys, exposing email logs to low-privilege users, changing sender identities or mail routing without authorization, resending sensitive messages, abusing test-email functions, and forcing administrator configuration changes through CSRF. The review validates that settings pages and AJAX or REST-style actions are protected by capabilities and nonces, that sensitive values are not reflected or leaked unnecessarily, and that log viewing and resend features remain available only to trusted roles. Particular attention is paid to credential storage, OAuth/provider configuration flows, log retention behavior, and error reporting because these areas can reveal secrets or operational details if handled carelessly.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64658, FluentSMTP version 2.2.95 demonstrates strong baseline security for the workflows that matter most in WordPress mail delivery plugins: configuring provider connections, protecting SMTP and API credentials, handling email logs, and controlling resend or routing actions. This certification helps site owners improve email deliverability while reducing the risk of credential exposure and unauthorized mail operations. As a best practice, store secrets in wp-config.php where possible, restrict access to email logs, avoid retaining sensitive message content longer than necessary, and rotate provider credentials when administrators change.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.