Security release. Fixes input sanitization in ajax_delete_message() and\najax_mark_seen(). Resolves an infinite IMAP re-fetch loop. All addon\nhooks retain identical signatures \u2014 no breaking changes. Update immediately.<\/p>\n\n
\nSelf-hosted. Privacy-first. Fully yours.<\/strong><\/p>\n<\/blockquote>\n\n
Tempmails turns your WordPress site into a self-hosted temporary email\nservice<\/strong>. Visitors generate a random disposable email address, receive\nmessages in a real-time inbox, and discard them when done \u2014 all without\nleaving your site.<\/p>\n\n
Unlike third-party services, Tempmails runs entirely on your own server\nand IMAP mailbox<\/strong>. You own the data, the domain, and the brand.<\/p>\n\n\n\n
\ud83d\udd12 No third-party email APIs<\/strong>\n\ud83d\udcec Real IMAP inbox \u2014 not a simulation<\/strong>\n\ud83c\udfa8 Material Design 3 UI \u2014 beautiful out of the box<\/strong>\n\u26a1 AJAX-powered \u2014 no page reloads<\/strong><\/p>\n\n\n\n
\ud83d\ude80 Quick Links<\/h4>\n\n
Everything you need to get started, get help, and stay connected:<\/p>\n\n
\n
- \ud83c\udf10 Official Website<\/strong> \u2014 tempmails.cv<\/a> \u2014 docs,\nroadmap, and addon announcements<\/li>\n
- \ud83c\udfac Installation Tutorial<\/strong> \u2014 Watch the step-by-step video guide below<\/li>\n
- \ud83d\udcfa YouTube Channel<\/strong> \u2014 NeoSmartApps on YouTube<\/a>\n\u2014 tutorials, walkthroughs, and new release demos<\/li>\n
- \u2615 Support the Project<\/strong> \u2014 Buy us a coffee via PayPal<\/a>\n\u2014 Tempmails is free forever; your support keeps development alive<\/li>\n
- \ud83d\udda5\ufe0f Need Hosting?<\/strong> \u2014 Tempmails works best on a VPS or shared host with\ncatch-all IMAP support. We recommend Hostinger<\/a>\n(affiliate link \u2014 we earn a small commission at no extra cost to you)<\/em><\/li>\n<\/ul>\n\n
\ud83c\udfac Watch: Full Installation Tutorial<\/h4>\n\n
https:\/\/youtu.be\/8SKRdyEUrog?si=KHfUT0KicbYphO1M<\/p>\n\n\n\n
Core Features<\/h4>\n\n
\ud83d\udce8 Email Engine<\/strong><\/p>\n\n
\n
- IMAP Email Fetching \u2014 connects to any catch-all IMAP mailbox<\/li>\n
- Auto Email Generation \u2014 random disposable addresses on your own domains<\/li>\n
- Real-time Inbox \u2014 AJAX-powered message viewer with configurable\nauto-refresh<\/li>\n
- Attachment Support \u2014 download files with 40+ allowed extensions<\/li>\n<\/ul>\n\n
\ud83c\udfa8 Design & UI<\/strong><\/p>\n\n
\n
- Material Design 3 UI \u2014 modern, responsive inbox with Inter & Poppins fonts<\/li>\n
- White-labeled \u2014 fully rebrandable, no third-party branding in the UI<\/li>\n
- Design Panel \u2014 live color picker and label customization in admin<\/li>\n<\/ul>\n\n
\ud83d\udee1\ufe0f Privacy & Data<\/strong><\/p>\n\n
\n
- Soft Delete \u2014 messages are never hard-deleted; safe for compliance<\/li>\n
- Cookie-based sessions \u2014 no user accounts or registration required<\/li>\n
- Zero external data transmission \u2014 all data stays on your server<\/li>\n<\/ul>\n\n
\u2699\ufe0f WordPress Native<\/strong><\/p>\n\n
\n
- Uses WP database, cron, options, nonces, and security APIs throughout<\/li>\n
- Settings API compliant admin panel<\/li>\n
- Full i18n\/l10n support with
.pot<\/code> file included<\/li>\n<\/ul>\n\nShortcode<\/h4>\n\n
Place the inbox anywhere on your site with one shortcode:<\/p>\n\n
[tempmails_inbox]\n<\/code><\/pre>\n\nThis renders the full inbox UI \u2014 email generation, copy button,\nauto-refresh, message list, and message viewer modal.<\/p>\n\n
Addon Ecosystem<\/h4>\n\n
Tempmails Core is frozen infrastructure<\/strong>. All new functionality is\ndelivered via addons using a documented, stable hook system \u2014 your site\nnever breaks on Core updates.<\/p>\n\n
Available addon hooks cover: email generation, message routing, inbox\naccess control, multi-domain support, billing integration, and more.\nSee the Hooks<\/strong> section below for the full reference.<\/p>\n\n
Privacy<\/h4>\n\n
Tempmails stores temporary email addresses in browser cookies<\/strong> to\nmaintain inbox sessions between page loads. No personal data is collected,\nstored against user accounts, or transmitted to any external service.\nSee External Services<\/strong> below for details on the optional GitHub\necosystem feed.<\/p>\n\n\n\n
Hooks<\/h3>\n\n
Tempmails exposes a complete hook system for addon developers. All hooks\nbelow are stable and frozen<\/strong> \u2014 they will not be renamed, removed, or\nhave their signatures changed in any minor version.<\/p>\n\n
Action Hooks<\/h4>\n\n
\n
tempmails_loaded<\/code> \u2014 Core fully initialized; safe for addon bootstrap<\/li>\ntempmails_core_ready<\/code> \u2014 fires after DB integrity check; passes Core\nversion string<\/li>\ntempmails_activated<\/code> \u2014 fires on plugin activation; safe for addon setup<\/li>\ntempmails_deactivated<\/code> \u2014 fires on plugin deactivation<\/li>\ntempmails_email_generated<\/code> \u2014 new address generated; params:$email<\/code>,\n $ip<\/li>\ntempmails_inbox_accessed<\/code> \u2014 user opened inbox; params:$email<\/code>,$ip<\/code><\/li>\ntempmails_message_received<\/code> \u2014 new message stored; params:$message_id<\/code>,\n $to_address<\/li>\ntempmails_message_marked_seen<\/code> \u2014 message read; params:$message_id<\/code><\/li>\ntempmails_message_deleted<\/code> \u2014 soft delete triggered; params:$message_id<\/code>,\n $email<\/li>\ntempmails_cleanup_completed<\/code> \u2014 cron cleanup finished; params:\n $deleted_count<\/li>\ntempmails_fetch_completed<\/code> \u2014 fetch cycle finished; params:$results<\/code>\narray<\/li>\n<\/ul>\n\nFilter Hooks<\/h4>\n\n
\n
tempmails_registered_addons<\/code> \u2014 register your addon for the Addons admin\npage<\/li>\ntempmails_generated_email<\/code> \u2014 modify a generated address before returning\nit<\/li>\ntempmails_available_domains<\/code> \u2014 modify the domain list available for\ngeneration<\/li>\ntempmails_can_fetch_messages<\/code> \u2014 allow\/block a fetch cycle; params:\n $bool,$engine<\/code><\/li>\ntempmails_can_process_message<\/code> \u2014 allow\/block a single message; params:\n $bool,$message<\/code><\/li>\ntempmails_can_store_message<\/code> \u2014 allow\/block DB insert; params:$bool<\/code>,\n $data<\/li>\ntempmails_can_read_inbox<\/code> \u2014 allow\/block inbox access; params:$bool<\/code>,\n $email<\/li>\ntempmails_message_content<\/code> \u2014 filter body before display; params:\n $content,$message_id<\/code><\/li>\ntempmails_default_settings<\/code> \u2014 modify default option values on activation<\/li>\ntempmails_inbox_attributes<\/code> \u2014 modify shortcode default attributes<\/li>\ntempmails_admin_dashboard_stats<\/code> \u2014 extend dashboard stat cards<\/li>\ntempmails_settings_tabs<\/code> \u2014 add custom tabs to the Settings page<\/li>\n<\/ul>\n\n\n\nExternal Services<\/h3>\n\n
Ecosystem Feed (Optional \u2014 Default On)<\/h4>\n\n
Tempmails fetches a public JSON file from GitHub to display addon and\necosystem information inside the WordPress admin panel.<\/p>\n\n
What this connection does:<\/strong><\/p>\n\n
\n
- Fires only when viewing Tempmails admin pages<\/li>\n
- Retrieves only public, non-personal JSON content<\/li>\n
- Transmits no user data, site URL, or any identifiable information<\/li>\n
- Results are cached locally for 1 hour to minimize requests<\/li>\n<\/ul>\n\n
Remote endpoint:\nhttps:\/\/raw.githubusercontent.com\/ubermensch-site\/tempmails-ecosystem\/main\/ecosystem.json<\/p>\n\n
Service provider: GitHub\nPrivacy policy: https:\/\/docs.github.com\/en\/site-policy\/privacy-policies\/github-general-privacy-statement<\/p>\n\n
To disable this connection entirely<\/strong>, uncheck Ecosystem Feed<\/strong> under\nTempmails \u2192 Settings \u2192 General<\/strong>. Hardcoded fallback content is shown\ninstead \u2014 no requests are made.<\/p>\n\n
Google Fonts<\/h4>\n\n
The frontend inbox loads the Inter<\/strong> and Poppins<\/strong> typefaces and the\nMaterial Symbols<\/strong> icon font from Google Fonts CDN.<\/p>\n\n
What this connection does:<\/strong><\/p>\n\n
\n
- Fires only on pages where
[tempmails_inbox]<\/code> is rendered<\/li>\n- Transmits the visitor's IP address to Google as part of a standard font\nrequest<\/li>\n<\/ul>\n\n
Service provider: Google Fonts\nPrivacy policy: https:\/\/developers.google.com\/fonts\/faq\/privacy<\/p>\n\n
To avoid this (e.g. for GDPR compliance), dequeue
tempmails-google-fonts<\/code>\nand load self-hosted font copies instead.<\/p>\n\n\n\nDevelopers<\/h3>\n\n
This section documents internal implementation details, security practices,\nand notes for addon developers.<\/p>\n\n
Security Hardening Log<\/h4>\n\n
All security changes are tracked here for auditing purposes.<\/p>\n\n
2026-04-04 \u2014 Security Review Pass (v1.0.7 patch)<\/strong><\/p>\n\n
\n
- class-core.php<\/strong> \u2014
ajax_delete_message()<\/code>:$_POST['message_id']<\/code>\nwaswp_unslash()<\/code>-ed but not sanitized, with aphpcs:ignore<\/code>\nsuppression comment masking the warning. Now wrapped with\n sanitize_text_field( wp_unslash( ... ) ). Suppression comment removed.<\/li>\n<\/ol>\n\n2026-04-02 \u2014 Security Review Pass (v1.0.7 patch)<\/strong><\/p>\n\n
\n
- class-design.php<\/strong> \u2014 Removed raw
<style><\/code> echo fromrender_page()<\/code>.\nStatic CSS moved toassets\/css\/admin.css<\/code>.<\/li>\n- class-design.php<\/strong> \u2014
inject_css_variables()<\/code> refactored: replaced\n echo \"...\" withwp_add_inline_style('tempmails-admin', ...)<\/code>.\nAll$v()<\/code> return values now pass throughesc_attr()<\/code>.<\/li>\n- class-design.php<\/strong> \u2014
inject_frontend_css_variables()<\/code> refactored:\nall CSS values escaped withesc_attr()<\/code>,wp_strip_all_tags()<\/code> applied.<\/li>\n- class-design.php<\/strong> \u2014
wp_footer<\/code> fallback replaced rawecho '<style>'<\/code>\nwith a dummy registered style handle.<\/li>\n- class-tempmails-shortcodes.php<\/strong> \u2014 Inline
<script><\/code> replaced with\n wp_add_inline_script('tempmails-frontend', ...).<\/li>\n- class-ecosystem.php<\/strong> \u2014 Inline
<script><\/code> replaced with\n wp_add_inline_script('tempmails-admin', ...).<\/li>\n- class-core.php<\/strong> \u2014
ajax_mark_seen()<\/code>: sanitized with\n sanitize_text_field( wp_unslash( ... ) ).<\/li>\n- class-admin.php<\/strong> \u2014
save_settings()<\/code>: Raw$_POST<\/code> replaced with\n $clean_post = array_map('sanitize_text_field', wp_unslash($_POST)).<\/li>\n- class-email-generator.php<\/strong> \u2014
get_emails()<\/code>: Cookie data sanitized\nwitharray_values(array_filter(array_map('sanitize_email', $raw)))<\/code>.<\/li>\n<\/ol>\n\nAddon Development Notes<\/h4>\n\n
Hook Stability Guarantee<\/strong><\/p>\n\n
All hooks listed in the
== Hooks ==<\/code> section are frozen. Signatures will\nnot change in any 1.x release. Breaking changes will only occur in a major\nversion bump with a migration guide.<\/p>\n\n$clean_post in save_settings hooks<\/strong><\/p>\n\n
As of the 2026-04-02 security patch, both
tempmails_before_save_settings<\/code>\nandtempmails_before_save_imap_settings<\/code> receive a sanitized copy of\n $_POST. If your addon previously relied on raw values via these hooks,\nretrieve those fields directly from$_POST<\/code> with appropriate sanitization.<\/p>\n\nCSS Variable Injection<\/strong><\/p>\n\n
inject_css_variables() now attaches inline CSS to the `tempmails-admin`\n<\/code><\/pre>\n\nstyle handle. If your addon dequeues
tempmails-admin<\/code>, Design color\nvariables will not be applied on admin pages.<\/p>\n\ninject_frontend_css_variables() uses a priority waterfall:\n<\/code><\/pre>\n\n1. Attaches to
tempmails-frontend<\/code> if registered\/enqueued\n2. Falls back totempmails-frontend-css<\/code>\n3. Registers a dummy handletempmails-design-vars<\/code> inwp_footer<\/code> at\n priority 1<\/p>\n\nFile Structure<\/h4>\n\n
tempmails\/\n\u251c\u2500\u2500 assets\/\n\u2502 \u251c\u2500\u2500 css\/\n\u2502 \u2502 \u251c\u2500\u2500 admin.css\n\u2502 \u2502 \u251c\u2500\u2500 frontend.css\n\u2502 \u2502 \u2514\u2500\u2500 ecosystem.css\n\u2502 \u2514\u2500\u2500 js\/\n\u2502 \u251c\u2500\u2500 admin.js\n\u2502 \u251c\u2500\u2500 admin-design.js\n\u2502 \u2514\u2500\u2500 frontend.js\n\u251c\u2500\u2500 core\/\n\u2502 \u251c\u2500\u2500 class-core.php\n\u2502 \u251c\u2500\u2500 class-admin.php\n\u2502 \u251c\u2500\u2500 class-design.php\n\u2502 \u251c\u2500\u2500 class-ecosystem.php\n\u2502 \u251c\u2500\u2500 class-email-generator.php\n\u2502 \u2514\u2500\u2500 class-addon-handler.php\n\u251c\u2500\u2500 includes\/\n\u2502 \u251c\u2500\u2500 class-tempmails-shortcodes.php\n\u2502 \u251c\u2500\u2500 class-tempmails-database.php\n\u2502 \u251c\u2500\u2500 class-tempmails-settings.php\n\u2502 \u251c\u2500\u2500 class-tempmails-imap.php\n\u2502 \u2514\u2500\u2500 class-tempmails-fetcher.php\n\u2514\u2500\u2500 tempmails.php<\/p>\n\n\n
Minimum Requirements<\/h4>\n\n
\n
- WordPress 5.8 or higher<\/li>\n
- PHP 7.4 or higher<\/li>\n
- PHP extensions:
imap<\/code>,mbstring<\/code>,json<\/code><\/li>\n- A mail server with catch-all forwarding configured on your domain<\/li>\n<\/ul>\n\n
Step-by-Step Installation<\/h4>\n\n
\n
- Upload the
tempmails<\/code> folder to\/wp-content\/plugins\/<\/code> or install via\nPlugins \u2192 Add New \u2192 Upload Plugin<\/strong><\/li>\n- Activate the plugin through Plugins \u2192 Installed Plugins<\/strong><\/li>\n
- Go to Tempmails \u2192 Settings \u2192 IMAP<\/strong> and enter your mail server\ncredentials:\n\n
\n
- Host:<\/strong>
mail.yourdomain.com<\/code><\/li>\n- Port:<\/strong>
993<\/code> (SSL) or143<\/code> (TLS)<\/li>\n- Encryption:<\/strong> SSL or TLS<\/li>\n
- Username:<\/strong>
catch-all@yourdomain.com<\/code><\/li>\n- Password:<\/strong> your IMAP mailbox password<\/li>\n<\/ul><\/li>\n
- Click Test Connection<\/strong> to verify the credentials<\/li>\n
- Click Save Settings<\/strong><\/li>\n
- Create a new WordPress page and add
[tempmails_inbox]<\/code><\/li>\n- Publish \u2014 visitors can now generate and use temporary email addresses\ninstantly<\/li>\n<\/ol>\n\n
IMAP Catch-All Setup<\/h4>\n\n
Your mail server must have catch-all email enabled<\/strong> so that messages\nsent to any address
@yourdomain.com<\/code> land in the single mailbox\nTempmails reads from.<\/p>\n\nIn cPanel, set the Default Address for your domain to deliver to your\ncatch-all inbox:<\/p>\n\n
*@yourdomain.com \u2192 catch-all@yourdomain.com\n<\/code><\/pre>\n\n