WP phone Security & Risk Analysis
wordpress.org/plugins/wp-phoneTake calls on your website.
Is WP phone Safe to Use in 2026?
Generally Safe
Score 100/100WP phone has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "wp-phone" v1.1 plugin presents a significant security risk due to critical vulnerabilities identified in its static analysis. A notable concern is the presence of an unprotected AJAX handler, which represents a direct entry point into the plugin's functionality without any authentication or authorization checks. This opens the door for unauthenticated users to potentially trigger malicious actions. Furthermore, the analysis reveals a concerning lack of output escaping, with 100% of outputs not being properly escaped. This makes the plugin highly susceptible to Cross-Site Scripting (XSS) attacks, where an attacker could inject malicious scripts into the website's frontend.
The plugin's vulnerability history is currently clear, with no known CVEs. This might suggest that the plugin hasn't been widely targeted or has recently been developed. However, the static analysis findings, particularly the unprotected AJAX handler and the widespread lack of output escaping, strongly indicate a foundational insecurity that could be easily exploited. The presence of the `unserialize` function, while not explicitly shown to be exploitable in the taint analysis, is often a vector for serious vulnerabilities when not handled with extreme caution, especially in conjunction with user-supplied data.
In conclusion, despite the absence of known CVEs, "wp-phone" v1.1 exhibits a poor security posture. The unprotected AJAX endpoint and the complete failure to escape output are critical flaws that demand immediate attention. While the use of prepared statements for SQL queries is a positive aspect, it does not mitigate the more pressing threats posed by the other vulnerabilities. The plugin's security needs substantial improvement before it can be considered safe for production environments.
Key Concerns
- Unprotected AJAX handler found
- 100% of outputs unescaped
- Dangerous function: unserialize
- Total entry points: 1, Unprotected: 1
- No nonce checks on entry points
WP phone Security Vulnerabilities
WP phone Code Analysis
Dangerous Functions Found
Output Escaping
Data Flow Analysis
WP phone Attack Surface
AJAX Handlers 1
WordPress Hooks 4
Maintenance & Trust
WP phone Maintenance & Trust
Maintenance Signals
Community Trust
WP phone Alternatives
Click to call button
click-to-call-button
Shows a Click to Call / Call Now Button to your visitors and turns your website into a phone with call recording, voicemail and SMS.
Connect-EZ Click-To-Call
connect-ez-click-to-call
Make phone calls directly from your website!
Video Call Button by Gruveo
gruveo-call-button
Let your website visitors call you with voice and video using the Gruveo button. No account or installs are needed for callers!
Live Support
live-support
Adds call button to your site. Your vistors can make web calls right away from your site.
Overtok Call Conversion
overtok
Convert inbound calls into additional actions. Connect business calls from any digital asset with an outstanding on-site visual journey that converts …
WP phone Developer Profile
2 plugins · 20 total installs
How We Detect WP phone
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/wp-phone/js/intlTelInput.min.js/wp-content/plugins/wp-phone/js/signup.js/wp-content/plugins/wp-phone/js/twilio_find_number.jsjs/intlTelInput.min.jsjs/signup.jsjs/twilio_find_number.jsHTML / DOM Fingerprints
wp_phone_form_tablewp_phone_holderwp_phone_default_number_shortcode<!-- stuff to do when we create plugin --><!-- these are for updting the cache automaticly --><!-- start of form-->id="wp_phone_holder"class="wp_phone_form_table"id="wp_phone_sync_form"id="wp_register_form"class="wp_phone_default_number_shortcode"intlTelInput.min.jssignup.jstwilio_find_number.js[wp_phone_number]get_option("wp_phone_number")