WP-Safety

SMM API Security & Risk Analysis

wordpress.org/plugins/smm-api

SMM API Plugin is an API integrator for SMM servers and Re-Sellers panel website that runs in WordPress platform.

100 active installs v6.0.31 PHP + WP 4.9.9+ Updated Jan 5, 2026
api-panelreseller-panelsmm-panelsocial-panel
54
C · Use Caution
CVEs total2
Unpatched2
Last CVEAug 7, 2025
Plugin page Download
Safety Verdict

Is SMM API Safe to Use in 2026?

Use With Caution

Score 54/100

SMM API has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Aug 7, 2025Updated 4mo ago
Risk Assessment

The "smm-api" plugin v6.0.31 exhibits a mixed security posture. While it demonstrates strengths in SQL query handling and output escaping, significant concerns arise from its substantial attack surface and historical vulnerability patterns. A large number of AJAX handlers (23 out of 27) lack proper authentication checks, creating a broad entry point for potential attacks. Furthermore, the taint analysis reveals a concerning number of flows with unsanitized paths, including eleven classified as high severity, indicating potential vulnerabilities like Cross-Site Scripting (XSS) or similar issues where user input is not sufficiently validated or neutralized before being used. The plugin's vulnerability history, with two known CVEs, including one high and one medium severity issue, and a recent vulnerability recorded in August 2025, suggests a recurring struggle with security. The types of past vulnerabilities, namely Missing Authorization and XSS, align with the risks identified in the static and taint analysis. While the use of prepared statements for SQL and high output escaping are positive indicators, the numerous unprotected entry points and the nature of the taint analysis results, coupled with a history of serious vulnerabilities, point to a plugin that requires significant attention to its authorization and input sanitization mechanisms to improve its overall security.

Key Concerns

  • 23 unprotected AJAX handlers
  • 11 high severity taint flows
  • 2 currently unpatched CVEs
  • 1 high severity CVE
  • 1 medium severity CVE
  • 12 flows with unsanitized paths
  • 5 Nonce checks (low coverage)
  • 5 Capability checks (low coverage)
Vulnerabilities
2 published

SMM API Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-52785medium · 4.3Missing Authorization

SMM API <= 6.0.30 - Missing Authorization

Aug 7, 2025Unpatched
CVE-2025-31855high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SMM API <= 6.0.30 - Unauthenticated Stored Cross-Site Scripting

Apr 1, 2025Unpatched
Version History

SMM API Release Timeline

v6.0.31Current2 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.302 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.282 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.272 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.252 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.172 CVEs
CVE-2025-31855 CVE-2025-52785
v6.0.82 CVEs
CVE-2025-31855 CVE-2025-52785
v5.0.12 CVEs
CVE-2025-31855 CVE-2025-52785
v4.0.12 CVEs
CVE-2025-31855 CVE-2025-52785
v3.0.12 CVEs
CVE-2025-31855 CVE-2025-52785
v2.0.32 CVEs
CVE-2025-31855 CVE-2025-52785
v2.0.22 CVEs
CVE-2025-31855 CVE-2025-52785
v2.0.12 CVEs
CVE-2025-31855 CVE-2025-52785
v1.1.42 CVEs
CVE-2025-31855 CVE-2025-52785
v1.12 CVEs
CVE-2025-31855 CVE-2025-52785
Code Analysis
Analyzed Mar 16, 2026

SMM API Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
57 prepared
Unescaped Output
23
1262 escaped
Nonce Checks
5
Capability Checks
5
File Operations
0
External Requests
3
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

100% prepared57 total queries

Output Escaping

98% escaped1285 total outputs
Data Flows · Security
12 unsanitized

Data Flow Analysis

14 flows12 with unsanitized paths
smm_ajax_action_function_item_select_list (includes\class.smapi-smm-ajax-call.php:829)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
23 unprotected

SMM API Attack Surface

Entry Points27
Unprotected23

AJAX Handlers 27

authwp_ajax_server_displayincludes\class.smapi-smm-ajax-call.php:51
authwp_ajax_server_saveincludes\class.smapi-smm-ajax-call.php:52
authwp_ajax_server_demoincludes\class.smapi-smm-ajax-call.php:53
authwp_ajax_server_editincludes\class.smapi-smm-ajax-call.php:54
authwp_ajax_api_buildincludes\class.smapi-smm-ajax-call.php:55
authwp_ajax_api_server_requestincludes\class.smapi-smm-ajax-call.php:56
authwp_ajax_server_deleteincludes\class.smapi-smm-ajax-call.php:57
authwp_ajax_f_item_saveincludes\class.smapi-smm-ajax-call.php:58
authwp_ajax_f_item_editincludes\class.smapi-smm-ajax-call.php:59
authwp_ajax_f_item_deleteincludes\class.smapi-smm-ajax-call.php:60
authwp_ajax_f_item_importincludes\class.smapi-smm-ajax-call.php:61
authwp_ajax_f_item_displayincludes\class.smapi-smm-ajax-call.php:62
authwp_ajax_server_listincludes\class.smapi-smm-ajax-call.php:63
authwp_ajax_server_product_listincludes\class.smapi-smm-ajax-call.php:64
authwp_ajax_var_server_product_listincludes\class.smapi-smm-ajax-call.php:65
authwp_ajax_var_service_span_dataincludes\class.smapi-smm-ajax-call.php:66
authwp_ajax_n_item_productincludes\class.smapi-smm-ajax-call.php:67
authwp_ajax_f_item_productincludes\class.smapi-smm-ajax-call.php:68
authwp_ajax_prefix_selected_variation_idincludes\class.smms-wc-subscription-cart.php:71
authwp_ajax_custom_input_data_idincludes\class.smms-wc-subscription-cart.php:72
noprivwp_ajax_custom_input_data_idincludes\class.smms-wc-subscription-cart.php:73
authwp_ajax_subscription_select_dataincludes\class.smms-wc-subscription-cart.php:74
noprivwp_ajax_subscription_select_dataincludes\class.smms-wc-subscription-cart.php:75
authwp_ajax_load_variationincludes\class.smms-wc-subscription-cart.php:79
noprivwp_ajax_load_variationincludes\class.smms-wc-subscription-cart.php:80
authwp_ajax_update_variationincludes\class.smms-wc-subscription-cart.php:83
noprivwp_ajax_update_variationincludes\class.smms-wc-subscription-cart.php:84
WordPress Hooks 80
actioninitincludes\class.smapi-susbscription-helper.php:60
actioninitincludes\class.smapi-susbscription.php:131
actioninitincludes\class.smapi-susbscription.php:132
filterwc_order_statusesincludes\class.smapi-susbscription.php:133
filtersmms_show_plugin_row_metaincludes\class.smms-wc-subscription-admin.php:82
actionadmin_enqueue_scriptsincludes\class.smms-wc-subscription-admin.php:84
filterproduct_type_optionsincludes\class.smms-wc-subscription-admin.php:86
actionwoocommerce_product_options_general_product_dataincludes\class.smms-wc-subscription-admin.php:88
actionwoocommerce_product_options_general_product_dataincludes\class.smms-wc-subscription-admin.php:89
actionwoocommerce_product_options_general_product_dataincludes\class.smms-wc-subscription-admin.php:90
actionwoocommerce_process_product_metaincludes\class.smms-wc-subscription-admin.php:91
filterwoocommerce_admin_settings_sanitize_optionincludes\class.smms-wc-subscription-admin.php:94
filtersmm_pull_order_statusincludes\class.smms-wc-subscription-admin.php:95
filtersmm_url_check_statusincludes\class.smms-wc-subscription-admin.php:96
actionwoocommerce_variation_optionsincludes\class.smms-wc-subscription-admin.php:97
actionwoocommerce_product_after_variable_attributesincludes\class.smms-wc-subscription-admin.php:98
actionwoocommerce_save_product_variationincludes\class.smms-wc-subscription-admin.php:99
filterwc_order_statusesincludes\class.smms-wc-subscription-admin.php:100
actionwoocommerce_saved_order_itemsincludes\class.smms-wc-subscription-admin.php:101
filterproduct_type_optionsincludes\class.smms-wc-subscription-admin.php:102
actionadmin_menuincludes\class.smms-wc-subscription-admin.php:801
actionsmms_smapi_subscriptions_tabincludes\class.smms-wc-subscription-admin.php:802
actionsmms_smapi_servers_tabincludes\class.smms-wc-subscription-admin.php:803
actionsmms_smapi_items_tabincludes\class.smms-wc-subscription-admin.php:804
actionsmms_smapi_orders_tabincludes\class.smms-wc-subscription-admin.php:805
actionsmms_smapi_premium_tabincludes\class.smms-wc-subscription-admin.php:806
filterwoocommerce_cart_item_priceincludes\class.smms-wc-subscription-cart.php:59
filterwoocommerce_quantity_input_argsincludes\class.smms-wc-subscription-cart.php:60
filterwoocommerce_cart_item_subtotalincludes\class.smms-wc-subscription-cart.php:61
actionwoocommerce_after_shop_loop_itemincludes\class.smms-wc-subscription-cart.php:62
actionwoocommerce_before_add_to_cart_buttonincludes\class.smms-wc-subscription-cart.php:63
filterwoocommerce_add_to_cart_validationincludes\class.smms-wc-subscription-cart.php:64
filterwoocommerce_add_cart_item_dataincludes\class.smms-wc-subscription-cart.php:65
filterwoocommerce_cart_item_nameincludes\class.smms-wc-subscription-cart.php:66
actionwp_enqueue_scriptsincludes\class.smms-wc-subscription-cart.php:67
actionwoocommerce_after_add_to_cart_buttonincludes\class.smms-wc-subscription-cart.php:69
filterformatted_woocommerce_priceincludes\class.smms-wc-subscription-cart.php:70
filterwoocommerce_calculated_totalincludes\class.smms-wc-subscription-cart.php:77
actionsmapi_renew_cronincludes\class.smms-wc-subscription-cron.php:62
actionsmapi_renew_ordersincludes\class.smms-wc-subscription-cron.php:63
actionsmapi_price_updateincludes\class.smms-wc-subscription-cron.php:64
actionsmm_auto_priceincludes\class.smms-wc-subscription-cron.php:65
actionsmapi_trash_pending_subscriptionsincludes\class.smms-wc-subscription-cron.php:104
actionsmapi_trash_cancelled_subscriptionsincludes\class.smms-wc-subscription-cron.php:105
actionwoocommerce_new_order_itemincludes\class.smms-wc-subscription-order.php:64
actionwoocommerce_checkout_order_processedincludes\class.smms-wc-subscription-order.php:66
actionwoocommerce_checkout_order_processedincludes\class.smms-wc-subscription-order.php:72
actionwoocommerce_payment_completeincludes\class.smms-wc-subscription-order.php:80
actionwoocommerce_checkout_create_order_line_itemincludes\class.smms-wc-subscription-order.php:82
filtersmapi_price_checkincludes\class.smms-wc-subscription-order.php:163
filterwoocommerce_shipping_chosen_methodincludes\class.smms-wc-subscription-order.php:238
filterwoocommerce_shipping_chosen_methodincludes\class.smms-wc-subscription-order.php:479
filterwp_privacy_personal_data_exportersincludes\class.smms-wc-subscription-privacy.php:48
filterwp_privacy_personal_data_erasersincludes\class.smms-wc-subscription-privacy.php:49
actionplugins_loadedincludes\class.smms-wc-subscription.php:55
filterwoocommerce_locate_core_templateincludes\class.smms-wc-subscription.php:63
filterwoocommerce_locate_templateincludes\class.smms-wc-subscription.php:64
filterwoocommerce_get_price_htmlincludes\class.smms-wc-subscription.php:77
filterwoocommerce_order_formatted_line_subtotalincludes\class.smms-wc-subscription.php:79
filterwoocommerce_add_to_cart_validationincludes\class.smms-wc-subscription.php:82
actionwoocommerce_thankyouincludes\gateways\paypal\class.smms-wc-coupon.php:30
filterwoocommerce_paypal_argsincludes\gateways\paypal\class.smms-wc-subscription-paypal.php:82
filtersmapi_cancel_recurring_paymentincludes\gateways\paypal\class.smms-wc-subscription-paypal.php:98
actionvalid-paypal-standard-ipn-requestincludes\gateways\paypal\includes\class.smapi-paypal-ipn-handler.php:35
actionplugins_loadedinit.php:29
actionbefore_woocommerce_initinit.php:31
actionadmin_noticesinit.php:58
actionadmin_noticesinit.php:119
actionwoocommerce_loadedinit.php:125
actionadmin_noticesinit.php:142
actionsmms_smapi_initinit.php:190
filterextra_theme_headersplugin-fw\smm-functions.php:602
filtersmm_title_special_charactersplugin-fw\smm-functions.php:729
filtermanage_edit-shop_order_columnsplugin-fw\smm-functions.php:1429
actionmanage_shop_order_posts_custom_columnplugin-fw\smm-functions.php:1446
actionwoocommerce_after_checkout_validationplugin-fw\smm-functions.php:1472
filtermanage_edit-product_columnsplugin-fw\smm-functions.php:1495
actionmanage_product_posts_custom_columnplugin-fw\smm-functions.php:1504
filterplugin_row_metaplugin-fw\smm-plugin.php:51
actionshutdownplugin-fw\smm-woocommerce-compatibility.php:763

Scheduled Events 4

smm_auto_price
smapi_renew_orders
smapi_trash_pending_subscriptions
smapi_trash_cancelled_subscriptions
Maintenance & Trust

SMM API Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJan 5, 2026
PHP min version
Downloads23K

Community Trust

Rating86/100
Number of ratings12
Active installs100
Alternatives

SMM API Alternatives

Panelhelper – SMM Panel API tool

Panelhelper – SMM Panel API tool

panelhelper

A
100

Connect your Wordpress website to an SMM Panel API.

70 No CVEs
Developer Profile

SMM API Developer Profile

softnwords

1 plugin · 100 total installs

62
trust score
Avg Security Score
54/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect SMM API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/smm-api/assets/css/frontend.css/wp-content/plugins/smm-api/assets/js/frontend.js/wp-content/plugins/smm-api/assets/css/backend.css/wp-content/plugins/smm-api/assets/js/backend.js
Script Paths
/wp-content/plugins/smm-api/assets/js/frontend.js/wp-content/plugins/smm-api/assets/js/backend.js
Version Parameters
smm-api/assets/css/frontend.css?ver=smm-api/assets/js/frontend.js?ver=smm-api/assets/css/backend.css?ver=smm-api/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
smm-api-frontendsmm-api-backend
HTML Comments
<!-- SMMS WooCommerce Subscription Admin --><!-- SMMS WooCommerce Subscription --><!-- SMMS API Frontend -->
Data Attributes
data-smm-api-settings
JS Globals
SMMS_WC_Subscription_FrontendSMMS_WC_Subscription_BackendSMM_API_AJAX_OBJECT
REST Endpoints
/wp-json/smm-api/v1/...
Shortcode Output
[smm_api_subscription][smm_api_order_status]
FAQ

Frequently Asked Questions about SMM API