WP-Safety

Alpha SMS Security & Risk Analysis

wordpress.org/plugins/alpha-sms

Connect your WordPress and WooCommerce store to Alpha SMS for OTP verification and order notifications in Bangladesh.

100 active installs v1.0.17 PHP 5.6+ WP 3.5+ Updated Feb 18, 2026
order-notificationotp-verificationsms-gatewaytwo-step-verificationwoocommerce-sms-integration
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Alpha SMS Safe to Use in 2026?

Generally Safe

Score 100/100

Alpha SMS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "alpha-sms" plugin version 1.0.17 presents a mixed security posture. On the positive side, the static analysis reveals that all output is properly escaped, there are no dangerous functions identified, and the taint analysis shows no critical or high severity unsanitized flows. Furthermore, the plugin has no recorded vulnerability history, which suggests a generally stable codebase. However, a significant concern is the presence of four unprotected AJAX handlers, representing a considerable attack surface. The complete lack of capability checks on these AJAX endpoints means that any authenticated user, regardless of their role, could potentially trigger these functions, leading to unintended actions or information disclosure.

The lack of permission callbacks for REST API routes is also noted, although there are currently no REST API routes exposed. The single SQL query found is not using prepared statements, which, while not a critical issue in isolation given the small number of queries, represents a potential risk for SQL injection if the query's inputs are not perfectly sanitized elsewhere. The plugin's vulnerability history is clean, which is a strong positive indicator. However, the unprotected AJAX handlers are a clear and present risk that requires immediate attention, overshadowing the otherwise clean code signals and history.

Key Concerns

  • 4 AJAX handlers without auth checks
  • 1 SQL query not using prepared statements
Vulnerabilities
None known

Alpha SMS Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Alpha SMS Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
0
271 escaped
Nonce Checks
13
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

100% escaped271 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
wc_phone_on_register (public\class-alpha_sms-public.php:156)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Alpha SMS Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_alpha_sms_to_save_and_send_otp_loginincludes\class-alpha_sms.php:250
noprivwp_ajax_alpha_sms_to_save_and_send_otp_loginincludes\class-alpha_sms.php:252
authwp_ajax_wc_send_otpincludes\class-alpha_sms.php:286
noprivwp_ajax_wc_send_otpincludes\class-alpha_sms.php:287
WordPress Hooks 28
actionplugins_loadedincludes\class-alpha_sms.php:153
actionadmin_enqueue_scriptsincludes\class-alpha_sms.php:171
actionadmin_enqueue_scriptsincludes\class-alpha_sms.php:172
actionadmin_menuincludes\class-alpha_sms.php:175
actionadmin_initincludes\class-alpha_sms.php:182
actionadmin_noticesincludes\class-alpha_sms.php:188
actionwp_enqueue_scriptsincludes\class-alpha_sms.php:227
actionwp_enqueue_scriptsincludes\class-alpha_sms.php:228
actionwoocommerce_order_status_changedincludes\class-alpha_sms.php:232
actionwoocommerce_new_orderincludes\class-alpha_sms.php:234
actionlogin_enqueue_scriptsincludes\class-alpha_sms.php:239
actionlogin_enqueue_scriptsincludes\class-alpha_sms.php:240
actionlogin_formincludes\class-alpha_sms.php:242
actionwoocommerce_login_formincludes\class-alpha_sms.php:246
filterauthenticateincludes\class-alpha_sms.php:256
actionregister_formincludes\class-alpha_sms.php:262
actionregister_formincludes\class-alpha_sms.php:263
filterregistration_errorsincludes\class-alpha_sms.php:265
actionuser_registerincludes\class-alpha_sms.php:267
actionwoocommerce_register_form_startincludes\class-alpha_sms.php:273
actionwoocommerce_edit_account_form_startincludes\class-alpha_sms.php:274
actionwoocommerce_register_formincludes\class-alpha_sms.php:275
filterwoocommerce_registration_errorsincludes\class-alpha_sms.php:277
actionwoocommerce_created_customerincludes\class-alpha_sms.php:280
actionwoocommerce_save_account_detailsincludes\class-alpha_sms.php:282
actionwoocommerce_review_order_before_submitincludes\class-alpha_sms.php:290
actionwoocommerce_checkout_processincludes\class-alpha_sms.php:293
filterregistration_errorspublic\class-alpha_sms-public.php:632
Maintenance & Trust

Alpha SMS Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 18, 2026
PHP min version5.6
Downloads5K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

Alpha SMS Alternatives

افزونه پیامک حرفه ای فراز اس ام اس

افزونه پیامک حرفه ای فراز اس ام اس

farazsms

C
63

شما می توانید با استفاده از افزونه فراز اس ام اس، سایت خود را با ابزاری خودکار برای ارسال پیامک و ذخیره شماره در دفترچه تلفن، تقویت کنید.

2K 1 unpatched
miniOrange OTP Verification and SMS Notification for WooCommerce

miniOrange OTP Verification and SMS Notification for WooCommerce

miniorange-sms-order-notification-otp-verification

A
99

OTP Verification via SMS, Email,or WhatsApp, and SMS Order Notifications, Vendor Notifications for WooCommerce.OTP Login and registration with Phone →

100 1 CVE
SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery

sms-alert

B
82

Send WooCommerce SMS notifications, OTP verification, abandoned cart recovery alerts, and real-time order updates to customers and admins.

4K 12 CVEs
WP 2-step verification

WP 2-step verification

wordpress-2-step-verification

A
100

Adds an extra layer of security to your Wordpress Account. Same as Google 2-step verification.

2K No CVEs
Hippoo Mobile App for WooCommerce

Hippoo Mobile App for WooCommerce

hippoo

A
96

Hippoo helps you manage WooCommerce orders, inventory, and analytics from your mobile. Receive real-time notifications and control your store on the g …

1K 2 CVEs
Developer Profile

Alpha SMS Developer Profile

alphanetbd

1 plugin · 100 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Alpha SMS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/alpha-sms/admin/css/alpha_sms-admin.css/wp-content/plugins/alpha-sms/admin/js/alpha_sms-admin.js/wp-content/plugins/alpha-sms/public/css/alpha_sms-public.css/wp-content/plugins/alpha-sms/public/js/alpha_sms-public.js
Generator Patterns
Alpha SMS v1.0.17
Script Paths
/wp-content/plugins/alpha-sms/admin/js/alpha_sms-admin.js/wp-content/plugins/alpha-sms/public/js/alpha_sms-public.js
Version Parameters
alpha-sms-admin.css?ver=alpha_sms-admin.js?ver=alpha-sms-public.css?ver=alpha_sms-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
alpha-sms-settingsalpha-sms-menu-icon
HTML Comments
<!-- This file is used to mark up the admin-facing aspect of the plugin. --><!-- Include the following JavaScript file to enable the message functionality in the admin area. --><!-- Include the following stylesheets to enable the the styling of the admin area. --><!-- This file is used to mark up the public-facing aspect of the plugin. -->+2 more
Data Attributes
data-alpha-sms-settings
JS Globals
AlphaSMSPublicAlphaSMSAdmin
FAQ

Frequently Asked Questions about Alpha SMS