VatanSMS WP SMS Security & Risk Analysis

wordpress.org/plugins/wp-sms-vatansms-com

** Vatan SMS eklentisi ile ihtiyaç duyduğunuz tüm durumlarda artık SMS gönderebileceksiniz.

20 active installs v1.01 PHP 5.6.0+ WP 4.8+ Updated Nov 5, 2020
smsvatansms
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 19, 2026
Safety Verdict

Is VatanSMS WP SMS Safe to Use in 2026?

Use With Caution

Score 63/100

VatanSMS WP SMS has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 19, 2026Updated 5yr ago
Risk Assessment

The wp-sms-vatansms-com plugin exhibits a mixed security posture. While it has no recorded historical vulnerabilities and demonstrates some good practices like using prepared statements for the majority of its SQL queries and implementing capability checks, there are significant areas of concern. The presence of two unprotected AJAX handlers represents a substantial attack surface, as these entry points can be accessed by unauthenticated users, potentially leading to unauthorized actions. The taint analysis reveals a high number of flows with unsanitized paths, with 8 marked as high severity, indicating a strong possibility of exploitable vulnerabilities even in the absence of known CVEs.

The lack of historical vulnerabilities might suggest good development practices in the past or a lack of focused exploitation, but it doesn't negate the current risks identified. The high percentage of unsanitized paths in the taint analysis is a critical red flag. Combined with the unprotected AJAX endpoints, this suggests that attackers could potentially inject malicious data or execute arbitrary code. The plugin also shows poor output escaping practices, with only 20% of outputs being properly escaped, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities.

Key Concerns

  • Unprotected AJAX handlers found
  • High number of unsanitized taint flows (8 high)
  • Low percentage of properly escaped output
  • Unprotected AJAX handlers (2 without auth)
Vulnerabilities
1 published

VatanSMS WP SMS Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-7462medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VatanSMS WP SMS <= 1.01 - Reflected Cross-Site Scripting via 'page' Parameter

May 19, 2026Unpatched
Version History

VatanSMS WP SMS Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

VatanSMS WP SMS Code Analysis

Dangerous Functions
0
Raw SQL Queries
28
40 prepared
Unescaped Output
101
26 escaped
Nonce Checks
2
Capability Checks
4
File Operations
3
External Requests
2
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

59% prepared68 total queries

Output Escaping

20% escaped127 total outputs
Data Flows · Security
24 unsanitized

Data Flow Analysis

25 flows24 with unsanitized paths
wp_sms_edit_group (includes\admin\groups\class-wpsms-groups-table-edit.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

VatanSMS WP SMS Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_wp_sms_edit_groupincludes\admin\groups\class-wpsms-groups-table-edit.php:21
authwp_ajax_wp_sms_edit_subscriberincludes\admin\subscribers\class-wpsms-subscribers-table-edit.php:21

Shortcodes 1

[wp-sms-subscriber-form] includes\class-wpsms-shortcode.php:14
WordPress Hooks 68
actionadmin_enqueue_scriptsincludes\admin\class-wpsms-admin.php:21
actionadmin_bar_menuincludes\admin\class-wpsms-admin.php:22
actiondashboard_glance_itemsincludes\admin\class-wpsms-admin.php:23
actionadmin_menuincludes\admin\class-wpsms-admin.php:24
actionwp_sms_settings_pageincludes\admin\class-wpsms-admin.php:270
actionwp_sms_pro_after_setting_logoincludes\admin\class-wpsms-version.php:22
actionadmin_noticesincludes\admin\class-wpsms-version.php:26
actionadmin_noticesincludes\admin\class-wpsms-version.php:31
filterwp_sms_pro_wp_settingsincludes\admin\class-wpsms-version.php:32
filterwp_sms_pro_bp_settingsincludes\admin\class-wpsms-version.php:33
filterwp_sms_pro_wc_settingsincludes\admin\class-wpsms-version.php:34
filterwp_sms_pro_gf_settingsincludes\admin\class-wpsms-version.php:35
filterwp_sms_pro_qf_settingsincludes\admin\class-wpsms-version.php:36
filterwp_sms_pro_edd_settingsincludes\admin\class-wpsms-version.php:37
filterwp_sms_job_settingsincludes\admin\class-wpsms-version.php:38
filterwp_sms_as_settingsincludes\admin\class-wpsms-version.php:39
filterwp_sms_pro_um_settingsincludes\admin\class-wpsms-version.php:40
filterplugin_row_metaincludes\admin\class-wpsms-version.php:43
actionadmin_enqueue_scriptsincludes\admin\class-wpsms-version.php:44
actionwp_sms_pro_after_setting_logoincludes\admin\class-wpsms-version.php:45
actionwp_sms_after_setting_logoincludes\admin\class-wpsms-version.php:46
filterwpsms_gateway_listincludes\admin\class-wpsms-version.php:47
filterscreen_layout_columnsincludes\admin\privacy\class-wpsms-privacy-actions.php:20
actionadmin_noticesincludes\admin\privacy\class-wpsms-privacy-actions.php:22
actionadmin_initincludes\admin\privacy\class-wpsms-privacy-actions.php:23
actionpre_user_queryincludes\admin\send\class-wpsms-send.php:85
actionadmin_menuincludes\admin\settings\class-wpsms-settings.php:23
actionadmin_initincludes\admin\settings\class-wpsms-settings.php:26
actionadmin_menuincludes\admin\welcome\class-wpsms-welcome.php:9
actionupgrader_process_completeincludes\admin\welcome\class-wpsms-welcome.php:10
actionadmin_initincludes\admin\welcome\class-wpsms-welcome.php:11
actionrest_api_initincludes\api\v1\class-wpsms-api-credit.php:18
actionrest_api_initincludes\api\v1\class-wpsms-api-newsletter.php:18
actionrest_api_initincludes\api\v1\class-wpsms-api-send.php:18
actionrest_api_initincludes\api\v1\class-wpsms-api-subscribers.php:18
actionwp_enqueue_scriptsincludes\class-front.php:16
actionadmin_bar_menuincludes\class-front.php:17
actionuser_new_formincludes\class-wpsms-features.php:31
filteruser_contactmethodsincludes\class-wpsms-features.php:32
actionregister_formincludes\class-wpsms-features.php:33
filterregistration_errorsincludes\class-wpsms-features.php:34
actionuser_registerincludes\class-wpsms-features.php:35
actionuser_registerincludes\class-wpsms-features.php:37
actionprofile_updateincludes\class-wpsms-features.php:38
actionwp_enqueue_scriptsincludes\class-wpsms-features.php:41
actionadmin_enqueue_scriptsincludes\class-wpsms-features.php:42
actionlogin_enqueue_scriptsincludes\class-wpsms-features.php:43
filterwp_sms_toincludes\class-wpsms-gateway.php:36
filterwp_sms_toincludes\class-wpsms-gateway.php:44
actionwp_sms_after_gatewayincludes\class-wpsms-gateway.php:97
filterwp_sms_gateway_settingsincludes\class-wpsms-gateway.php:115
actionwpmu_new_blogincludes\class-wpsms-install.php:12
filterwpmu_drop_tablesincludes\class-wpsms-install.php:13
filterwpcf7_editor_panelsincludes\class-wpsms-integrations.php:27
actionwpcf7_after_saveincludes\class-wpsms-integrations.php:28
actionwpcf7_before_send_mailincludes\class-wpsms-integrations.php:29
actionwoocommerce_new_orderincludes\class-wpsms-integrations.php:34
actionedd_complete_purchaseincludes\class-wpsms-integrations.php:39
actionwp_enqueue_scriptsincludes\class-wpsms-newsletter.php:21
actionadd_meta_boxesincludes\class-wpsms-notifications.php:42
actionpublish_postincludes\class-wpsms-notifications.php:43
actionuser_registerincludes\class-wpsms-notifications.php:72
actionwp_insert_commentincludes\class-wpsms-notifications.php:76
actionwp_loginincludes\class-wpsms-notifications.php:80
actiontransition_post_statusincludes\class-wpsms-notifications.php:86
actionwidgets_initincludes\class-wpsms-widget.php:21
actionplugins_loadedincludes\class-wpsms.php:13
actioninitincludes\class-wpsms.php:30
Maintenance & Trust

VatanSMS WP SMS Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedNov 5, 2020
PHP min version5.6.0
Downloads2K

Community Trust

Rating100/100
Number of ratings2
Active installs20
Developer Profile

VatanSMS WP SMS Developer Profile

Vatan Yazılım ve Haberleşme

2 plugins · 30 total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect VatanSMS WP SMS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-sms-vatansms-com/assets/css/admin-bar.css/wp-content/plugins/wp-sms-vatansms-com/assets/css/admin.css/wp-content/plugins/wp-sms-vatansms-com/assets/css/rtl.css/wp-content/plugins/wp-sms-vatansms-com/assets/css/chosen.min.css/wp-content/plugins/wp-sms-vatansms-com/assets/js/chosen.jquery.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/jquery.word-and-character-counter.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/jquery.repeater.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/admin.js+4 more
Script Paths
/wp-content/plugins/wp-sms-vatansms-com/assets/js/chosen.jquery.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/jquery.word-and-character-counter.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/jquery.repeater.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/admin.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/flatpickr.min.js/wp-content/plugins/wp-sms-vatansms-com/assets/js/edit-subscriber.js+1 more
Version Parameters
wp-sms-admin-bar?ver=wp-sms-admin?ver=wp-sms-rtl?ver=wp-sms-chosen?ver=wpsms-chosen?ver=wpsms-word-and-character-counter?ver=wpsms-repeater?ver=wpsms-admin?ver=jquery-flatpickr?ver=jquery-flatpickr?ver=

HTML / DOM Fingerprints

CSS Classes
wpsms-subscribe-countwpsms-credit-count
Data Attributes
id="wp-credit-sms"id="wp-send-sms"id="wp-sms-subscribers-privacy"
JS Globals
wp_sms_edit_subscribe_ajax_vars
FAQ

Frequently Asked Questions about VatanSMS WP SMS