Does Smart WeTransfer have any unpatched vulnerabilities?

Yes — Smart WeTransfer currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Smart WeTransfer compatible with WordPress 5.4.19?

According to WordPress.org data, Smart WeTransfer 1.3 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

Is Smart WeTransfer compatible with PHP 5.6+?

Smart WeTransfer requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Smart WeTransfer updated?

Smart WeTransfer was last updated on Jul 21, 2020. Frequent updates are generally a positive security signal.

What is Smart WeTransfer's security score?

Smart WeTransfer has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Smart WeTransfer Security & Risk Analysis

wordpress.org/plugins/smart-wetransfer

Upload large files upto 2GB using this plugin. This plugin uses wetransfer API and all uploads are saved in wetransfer website for 7 days.

70 active installs v1.3 PHP 5.6+ WP 3.5+ Updated Jul 21, 2020

large-files-uploadtransfer-big-fileswetransfer

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 29, 2025

Plugin page Download

Safety Verdict

Is Smart WeTransfer Safe to Use in 2026?

Use With Caution

Score 63/100

Smart WeTransfer has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 29, 2025Updated 5yr ago

Risk Assessment

The "smart-wetransfer" v1.3 plugin exhibits several concerning security weaknesses despite some positive indicators. The presence of an unprotected AJAX handler significantly increases the attack surface, as this entry point lacks proper authentication checks, making it vulnerable to unauthorized access and potential exploitation. While the code analysis indicates a lack of dangerous functions and file operations, the fact that 100% of SQL queries are not using prepared statements is a major concern, as it opens the door to SQL injection vulnerabilities. Furthermore, the plugin has a history of known vulnerabilities, including a currently unpatched medium severity issue, which suggests a pattern of security oversight in its development and maintenance. While the plugin does perform some output escaping, the percentage is not high enough to fully mitigate cross-site scripting (XSS) risks in the remaining unescaped outputs.

Key Concerns

Unprotected AJAX handler found
100% of SQL queries lack prepared statements
Unpatched medium severity CVE found
Missing nonce checks
Only 58% of output properly escaped

Vulnerabilities

1 published

Smart WeTransfer Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62909medium · 4.3Missing Authorization

Smart WeTransfer <= 1.3 - Missing Authorization

Sep 29, 2025Unpatched

Version History

Smart WeTransfer Release Timeline

v1.11 CVE

CVE-2025-62909

v1.01 CVE

CVE-2025-62909

Code Analysis

Analyzed Mar 16, 2026

Smart WeTransfer Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

58% escaped19 total outputs

Attack Surface

1 unprotected

Smart WeTransfer Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 1

authwp_ajax_delete_actionincludes\scripts.php:41

Shortcodes 1

[smartTransfer] smart-wetransfer.php:97

WordPress Hooks 8

actionadmin_enqueue_scriptsincludes\scripts.php:8

actionadmin_footerincludes\scripts.php:27

actionadmin_enqueue_scriptsincludes\style.php:11

actionwp_enqueue_scriptsincludes\style.php:19

actionadmin_enqueue_scriptsincludes\styles.php:13

actionwp_enqueue_scriptsincludes\styles.php:21

actioninitsmart-wetransfer.php:141

actionadmin_menusmart-wetransfer.php:219

Maintenance & Trust

Smart WeTransfer Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedJul 21, 2020

PHP min version5.6

Downloads4K

Community Trust

Rating86/100

Number of ratings3

Active installs70

Alternatives

Smart WeTransfer Alternatives

No alternatives data available yet.

Developer Profile

Smart WeTransfer Developer Profile

mrityunjay

2 plugins · 80 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Smart WeTransfer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/smart-wetransfer/includes/style.css/wp-content/plugins/smart-wetransfer/includes/script.js

Script Paths

https://prod-embed-cdn.wetransfer.net/v1/latest.js

Version Parameters

smart-wetransfer/includes/style.css?ver=smart-wetransfer/includes/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

form-controlbtnbtn-primarygrit-styletableerror

HTML Comments

The next input element will hold the transfer link. For testing purposes, you
  could change the type attribute to "text", instead of "hidden".

Data Attributes

data-widget-hostwtEmbedKeywtEmbedOutputwtEmbedLanguage

JS Globals

WETRANSFER_PLUGIN_PATH

Shortcode Output

<h3 style='color:green'><span class="error"><input type='text' name='your_name' class='form-control' placeholder='Your Name'><input type='email' name='your_email' class='form-control' placeholder='Your Email' required>

FAQ