WP-Safety

GatewayAPI Security & Risk Analysis

wordpress.org/plugins/gatewayapi

Send SMS notifications for WooCommerce orders, create SMS campaigns, manage contacts, and add two-factor authentication - powered by GatewayAPI.com.

400 active installs v2.1.4 PHP + WP 5.8+ Updated Mar 9, 2026
campaignsnotificationssmstransactional-smswoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is GatewayAPI Safe to Use in 2026?

Generally Safe

Score 100/100

GatewayAPI has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 26d ago
Risk Assessment

The gatewayapi plugin v2.1.4 exhibits a mixed security posture. On the positive side, it has no known vulnerabilities (CVEs) and a low number of potentially dangerous functions or critical taint flows. The high percentage of properly escaped output is also a good sign, suggesting developers are mindful of preventing cross-site scripting (XSS). The plugin also demonstrates a reasonable number of capability checks, indicating some level of access control is implemented.

However, significant concerns arise from the attack surface analysis. With 47 total entry points, a staggering 42 are unprotected AJAX handlers. This represents a substantial risk, as attackers could potentially interact with these handlers without proper authentication or authorization, leading to unintended actions or information disclosure. Furthermore, the single SQL query detected is not using prepared statements, which opens the door to SQL injection vulnerabilities. The presence of unsanitized paths in taint analysis, though not critical, warrants attention as it could be a precursor to path traversal issues if combined with other vulnerabilities.

Given the lack of historical vulnerabilities, it might suggest a diligent development process or that the plugin has not been a significant target. However, the current code analysis reveals critical weaknesses that could be exploited regardless of past vulnerability history. The high number of unprotected AJAX handlers and the non-prepared SQL query are the most pressing issues, creating a substantial attack surface that requires immediate attention.

Key Concerns

  • Large attack surface without auth
  • Raw SQL without prepare
  • Flows with unsanitized paths
  • Missing nonce checks on AJAX
Vulnerabilities
None known

GatewayAPI Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

GatewayAPI Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
21
191 escaped
Nonce Checks
1
Capability Checks
48
File Operations
5
External Requests
7
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

90% escaped212 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

10 flows5 with unsanitized paths
gatewayapi__handle_signup (inc\shortcodes.php:152)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
42 unprotected

GatewayAPI Attack Surface

Entry Points47
Unprotected42

AJAX Handlers 45

authwp_ajax_gatewayapi_get_key_statusinc\admin-ajax.php:6
authwp_ajax_gatewayapi_save_connectioninc\admin-ajax.php:86
authwp_ajax_gatewayapi_disconnectinc\admin-ajax.php:163
authwp_ajax_gatewayapi_save_defaultsinc\admin-ajax.php:180
authwp_ajax_gatewayapi_get_settingsinc\admin-ajax.php:218
authwp_ajax_gatewayapi_get_contact_fieldsinc\admin-ajax.php:250
authwp_ajax_gatewayapi_save_contact_fieldsinc\admin-ajax.php:266
authwp_ajax_gatewayapi_dismiss_v2_noticeinc\admin-ajax.php:303
authwp_ajax_gatewayapi_get_frontend_settingsinc\admin-ajax.php:315
authwp_ajax_gatewayapi_save_frontend_settingsinc\admin-ajax.php:329
authwp_ajax_gatewayapi_get_tagsinc\admin-ajax.php:348
authwp_ajax_gatewayapi_get_countriesinc\admin-ajax.php:377
authwp_ajax_gatewayapi_get_campaignsinc\campaigns-ajax.php:6
authwp_ajax_gatewayapi_get_campaigninc\campaigns-ajax.php:78
authwp_ajax_gatewayapi_save_campaigninc\campaigns-ajax.php:108
authwp_ajax_gatewayapi_get_campaign_tagsinc\campaigns-ajax.php:215
authwp_ajax_gatewayapi_count_recipientsinc\campaigns-ajax.php:257
authwp_ajax_gatewayapi_delete_campaigninc\campaigns-ajax.php:286
authwp_ajax_gatewayapi_restore_campaigninc\campaigns-ajax.php:323
authwp_ajax_gatewayapi_revert_campaign_to_draftinc\campaigns-ajax.php:350
authwp_ajax_gatewayapi_clone_campaigninc\campaigns-ajax.php:378
authwp_ajax_gatewayapi_get_server_timeinc\campaigns-ajax.php:431
authwp_ajax_gatewayapi_test_smsinc\campaigns-ajax.php:446
authwp_ajax_gatewayapi_get_contactsinc\contacts-ajax.php:6
authwp_ajax_gatewayapi_get_contactinc\contacts-ajax.php:131
authwp_ajax_gatewayapi_save_contactinc\contacts-ajax.php:169
authwp_ajax_gatewayapi_delete_contactinc\contacts-ajax.php:256
authwp_ajax_gatewayapi_restore_contactinc\contacts-ajax.php:284
authwp_ajax_gatewayapi_get_tagsinc\contacts-ajax.php:325
authwp_ajax_gatewayapi_get_countriesinc\contacts-ajax.php:350
authwp_ajax_gatewayapi_bulk_save_contactsinc\contacts-ajax.php:375
authwp_ajax_gatewayapi_get_contacts_exportinc\contacts-ajax.php:631
authwp_ajax_gatewayapi_bulk_update_contactsinc\contacts-ajax.php:743
authwp_ajax_gatewayapi_devserverinc\devserver.php:3
authwp_ajax_gatewayapi_migrate_contactsinc\migration-tool.php:163
authwp_ajax_gatewayapi_save_2fa_settingsinc\two-fa.php:10
authwp_ajax_gatewayapi_get_2fa_settingsinc\two-fa.php:11
authwp_ajax_gatewayapi_2fa_verifyinc\two-fa.php:17
authwp_ajax_gatewayapi_get_woo_smssinc\woocommerce-ajax.php:6
authwp_ajax_gatewayapi_get_woo_smsinc\woocommerce-ajax.php:55
authwp_ajax_gatewayapi_save_woo_smsinc\woocommerce-ajax.php:85
authwp_ajax_gatewayapi_delete_woo_smsinc\woocommerce-ajax.php:136
authwp_ajax_gatewayapi_toggle_woo_smsinc\woocommerce-ajax.php:155
authwp_ajax_gatewayapi_get_woo_statusesinc\woocommerce-ajax.php:173
authwp_ajax_gatewayapi_get_woo_countriesinc\woocommerce-ajax.php:205

Shortcodes 2

[gatewayapi] inc\shortcodes.php:999
[gwapi] inc\shortcodes.php:1000
WordPress Hooks 17
actioninitgatewayapi.php:59
actionadmin_menuinc\admin-menu.php:3
actionadmin_noticesinc\admin-menu.php:130
actioninitinc\campaigns-post-type.php:3
actiongatewayapi_schedule_campaigninc\campaigns-scheduling.php:6
actiongatewayapi_send_campaign_batchinc\campaigns-scheduling.php:72
actioninitinc\contacts-post-type.php:3
actionadmin_menuinc\migration-tool.php:19
actioninitinc\two-fa.php:8
filterauthenticateinc\two-fa.php:14
actionlogin_form_gatewayapi_2fainc\two-fa.php:15
actionwp_login_errorsinc\two-fa.php:16
actionshow_user_profileinc\two-fa.php:20
actionedit_user_profileinc\two-fa.php:21
actionadmin_noticesinc\two-fa.php:24
actioninitinc\woocommerce-post-type.php:3
actionwoocommerce_order_status_changedinc\woocommerce-scheduling.php:6
Maintenance & Trust

GatewayAPI Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version
Downloads21K

Community Trust

Rating100/100
Number of ratings3
Active installs400
Alternatives

GatewayAPI Alternatives

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

wp-sms

A
95

Send SMS/MMS notifications, OTP & 2FA messages, and WooCommerce updates with support for multiple gateways and plugin integrations.

9K 15 CVEs
NotifSMS – SMS Notifications OTP & 2FA for WordPress & WooCommerce

NotifSMS – SMS Notifications OTP & 2FA for WordPress & WooCommerce

wp-twilio-core

A
100

Send SMS, OTP & 2FA notifications from WordPress via Twilio. Includes automated alerts, bulk messaging, and integrations with popular plugins.

2K No CVEs
ShopMagic – Twilio SMS

ShopMagic – Twilio SMS

shopmagic-for-twilio

A
100

Send WooCommerce SMS notifications, reminders, and text messages to your customers. The plugin is the ShopMagic add-on and it lets you send sms remind …

800 No CVEs
Ultimate WP Mail

Ultimate WP Mail

ultimate-wp-mail

B
70

Custom email and SMS notifications. Automatic send actions. WPForms SMS integration. WooCommerce notifications for purchases, abandoned cart and more!

800 1 unpatched
TextMe SMS

TextMe SMS

textme-sms-integration

A
97

Send custom SMS messages from your WordPress site to your customers using the TextMe SMS gateway.

600 3 CVEs
Developer Profile

GatewayAPI Developer Profile

onlinecity

1 plugin · 400 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect GatewayAPI

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gatewayapi/assets/css/gatewayapi.css/wp-content/plugins/gatewayapi/assets/js/gatewayapi.js
Script Paths
/wp-content/plugins/gatewayapi/assets/js/gatewayapi.js
Version Parameters
gatewayapi.css?ver=gatewayapi.js?ver=

HTML / DOM Fingerprints

CSS Classes
gatewayapi-control-wrappergatewayapi-field-gatewayapi-errorgatewayapi-help-textgatewayapi-recaptchagatewayapi-tagsgatewayapi-labelgatewayapi-checkboxes+1 more
HTML Comments
<!-- gwapi_template -->
Data Attributes
data-sitekeyaria-invalidaria-describedbydata-gwapi-form-iddata-gwapi-next-stepdata-gwapi-previous-step
JS Globals
gatewayapi
REST Endpoints
/wp-json/gatewayapi/v1/sms-message/wp-json/gatewayapi/v1/sms-bulk-send
Shortcode Output
<div class="gatewayapi-control-wrapper gatewayapi-field-<div class="g-recaptcha"<div class="gatewayapi-control-wrapper gatewayapi-tags"><div class="gatewayapi-checkbox">
FAQ

Frequently Asked Questions about GatewayAPI