Does SEMA API have any unpatched vulnerabilities?

No. All known vulnerabilities in SEMA API have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SEMA API compatible with WordPress 6.8.5?

According to WordPress.org data, SEMA API 6.22 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is SEMA API compatible with PHP 5.2.4+?

SEMA API requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SEMA API updated?

SEMA API was last updated on Dec 5, 2025. Frequent updates are generally a positive security signal.

What is SEMA API's security score?

SEMA API has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SEMA API Security & Risk Analysis

wordpress.org/plugins/sema-api

The plugin is built to automatically transfer auto parts data from SEMA Data Coop to Wordpress/wooCommerce. A comprehensive frontend catalog search p …

30 active installs v6.22 PHP 5.2.4+ WP 6.2+ Updated Dec 5, 2025

auto-parts-filterauto-parts-searchsema-product-importyear-make-model-filteryear-make-model-search

A · Safe

CVEs total2

Unpatched0

Last CVEJan 8, 2025

Plugin page Download

Safety Verdict

Is SEMA API Safe to Use in 2026?

Generally Safe

Score 96/100

SEMA API has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 8, 2025Updated 3mo ago

Risk Assessment

The sema-api v6.22 plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation (98%) and a majority of output escaping (78%), several significant concerns are present. The presence of two unprotected AJAX handlers creates a substantial attack surface, potentially allowing unauthenticated users to trigger plugin functionality. Taint analysis reveals six high-severity flows with unsanitized paths, indicating potential vulnerabilities where user input could be manipulated to achieve unintended or malicious outcomes, even though no critical severity flows were found.

The plugin's vulnerability history, with two known CVEs including one critical and one medium, both related to Cross-Site Scripting and SQL Injection, is concerning. While there are currently no unpatched vulnerabilities, the recurring nature of these vulnerability types suggests a pattern of inadequate input sanitization and output escaping, particularly for specific input vectors. The last vulnerability being recent further underscores the need for vigilance.

In conclusion, sema-api v6.22 has some strengths in its handling of database interactions. However, the unprotected entry points, high-severity taint flows, and past critical vulnerabilities necessitate careful consideration. The plugin's security would be significantly improved by addressing the unprotected AJAX handlers and thoroughly reviewing and sanitizing all user-influenced data flows identified by the taint analysis, especially in light of its historical vulnerabilities.

Key Concerns

Unprotected AJAX handlers
High severity unsanitized taint flows
Historical critical CVE (XSS/SQLi)
Historical medium CVE (XSS/SQLi)
Lack of nonce checks
Percentage of improperly escaped output

Vulnerabilities

SEMA API Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

2 total CVEs

CVE-2024-12285medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SEMA API <= 5.27 - Reflected Cross-Site Scripting via catid Parameter

Jan 8, 2025 Patched in 5.30 (2d)

CVE-2022-0836critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SEMA API <= 3.64 - SQL Injection

Apr 13, 2022 Patched in 4.02 (650d)

Code Analysis

Analyzed Mar 16, 2026

SEMA API Code Analysis

Dangerous Functions

Raw SQL Queries

217 prepared

Unescaped Output

316 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

98% prepared222 total queries

Output Escaping

78% escaped405 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths

<html-sema-fitment-edit> (includes\views\html-sema-fitment-edit.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

SEMA API Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 2

authwp_ajax_get_semadatasema-api.php:783

noprivwp_ajax_get_semadatasema-api.php:784

Shortcodes 2

[semasearch] sema-api.php:442

[semasearchbar] sema-api.php:443

WordPress Hooks 15

filterhttp_request_timeoutincludes\importer\class-sema-product-import.php:122

filterhttp_request_timeoutincludes\importer\class-sema-product-import.php:487

filterhttp_request_timeoutincludes\importer\class-sema-product-import.php:674

filterhttp_request_timeoutincludes\importer\class-sema-product-import.php:920

actionadmin_menuoptions.php:24

actionadmin_initoptions.php:252

filterwoocommerce_product_tabssema-api.php:60

filterquery_varssema-api.php:445

actionadmin_headsema-api.php:742

actioninitsema-api.php:767

actionbefore_delete_postsema-api.php:779

filterwoocommerce_screen_idssema-api.php:1859

actioninitsema-api.php:1861

actionadmin_initsema-api.php:1863

filterintermediate_image_sizessema-api.php:1867

Scheduled Events 1

woocommerce_flush_rewrite_rules

Maintenance & Trust

SEMA API Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedDec 5, 2025

PHP min version5.2.4

Downloads10K

Community Trust

Rating30/100

Number of ratings2

Active installs30

Alternatives

SEMA API Alternatives

Year Make Model Search for WooCommerce

ymm-search

It will find products for selected make and model.

1K 1 CVE

Developer Profile

SEMA API Developer Profile

ssema

1 plugin · 30 total installs

trust score

Avg Security Score

96/100

Avg Patch Time

326 days

View full developer profile

Detection Fingerprints

How We Detect SEMA API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sema-api/css/style.css/wp-content/plugins/sema-api/js/script.js

Script Paths

/wp-content/plugins/sema-api/js/script.js

Version Parameters

sema-api/style.css?ver=sema-api/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

sema_product_fitment_field

Data Attributes

id="sema_product_data_fitments"id="ymm_search_field"class="ymm-result-select"id="sema_ymms_changed"

JS Globals

var ajax_url='function sema_new_product_tab( $tabs )function sema_product_tab( $array )function sema_product_content_fitment()function sema_save_fitments( $post_id )

FAQ