WordPress.org
Get WordPress
WordPress.org

Plugin Directory

SMSTunnel

SMSTunnel

By nicunarcisbodea
Download

Description

SMSTunnel transforms your Android phone into a powerful SMS gateway for WordPress.

Key Features

  • Use Your Own Phone – No third-party SMS gateway costs
  • Two-Factor Authentication – Secure WordPress login with SMS 2FA
  • End-to-End Encryption – Messages encrypted with RSA keys
  • Quick Setup – Scan QR code from the mobile app

External Services

This plugin connects to external services to provide certain functionality. Below are the details of each service:

SMSTunnel API

  • Purpose: Core service that enables the plugin to communicate with the SMSTunnel mobile app for sending SMS messages from your phone
  • When data is sent: During Quick Setup (when pairing via QR code), when sending SMS messages, and when verifying API connections
  • Data sent:
    • During setup: Site URL, site token (random identifier), admin email (for account creation)
    • When sending SMS: Phone number, message content (encrypted if E2E is enabled), API key for authentication
  • Service provider: SMSTunnel.io (NARBOWEB SRL)
  • Privacy Policy: https://smstunnel.io/privacy
  • Terms of Service: https://smstunnel.io/terms

SMSTunnel Authentication

  • Purpose: Optional sign-in via Google, Facebook, or email to link your SMSTunnel account with WordPress
  • When data is sent: Only when the admin uses the “Connect with Google/Facebook/Email” options on the plugin settings page
  • Data sent:
    • Google/Facebook: Redirects to smstunnel.io/auth/google or smstunnel.io/auth/facebook with a callback URL and CSRF state token
    • Email login: Email and password sent to smstunnel.io/api/v1/auth/login
    • After authentication: Fetches user profile from smstunnel.io/auth/me and creates an API key via smstunnel.io/api/v1/api-keys
  • Service provider: SMSTunnel.io (NARBOWEB SRL)
  • Privacy Policy: https://smstunnel.io/privacy
  • Terms of Service: https://smstunnel.io/terms

Note: QR codes are generated locally using an embedded JavaScript library (qrcode.min.js). No external QR code generation services are used. All SMS messages are sent through your own Android phone – the SMSTunnel server only acts as a relay to connect WordPress with your phone.

Installation

  1. Upload the plugin to /wp-content/plugins/
  2. Activate the plugin
  3. Go to SMSTunnel > Quick Setup
  4. Download the SMSTunnel app and scan the QR code

Reviews

There are no reviews for this plugin.

Contributors & Developers

“SMSTunnel” is open source software. The following people have contributed to this plugin.

Contributors

Translate “SMSTunnel” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.6

  • Security: Added nonce validation (check_ajax_referer) to all nopriv AJAX endpoints including 2FA login and phone setup
  • Security: Fixed DOM XSS in quick-setup.js, social-login.js, and admin-settings.js – all server/URL data now uses .text() instead of .html()
  • Security: Escaped all remaining unescaped outputs in SMS history table
  • Security: API key verification now uses X-API-Key header and configurable server URL (consistent with rest of plugin)
  • Fix: Corrected AJAX action name mismatch for API key verification
  • Documentation: Added SMSTunnel Authentication section to External Services (auth endpoints)

1.0.5

  • Security: Moved all inline JavaScript to external files using wp_enqueue_script and wp_localize_script
  • Security: Added OAuth state parameter validation to prevent CSRF attacks on OAuth callback
  • Security: REST API /setup-callback now validates site_token in permission_callback instead of callback body
  • Security: Removed all wp_add_inline_script calls – all scripts now in external .js files
  • Code: Added $request parameter to all REST API permission_callback methods for PHP 8+ compatibility

1.0.4

  • Documentation: Updated External Services section with complete service documentation

1.0.3

  • Security: Replaced __return_true with documented custom permission_callback methods

1.0.2

  • Security: Replaced inline scripts with wp_add_inline_script for proper enqueueing
  • Security: Fixed XSS vulnerabilities by using textContent instead of innerHTML for server responses
  • Security: Removed external QR code generation services (Google Charts, QR Server API) – all QR codes now generated locally
  • Security: Improved escaping for all JavaScript strings using esc_js()
  • Documentation: Updated External Services section to accurately reflect service usage

1.0.1

  • Security: Added sanitization callbacks for all settings
  • Security: Fixed escape output for translatable strings
  • Security: Database queries now use prepared statements
  • Security: Changed wp_redirect to wp_safe_redirect
  • Security: Changed mt_rand to wp_rand
  • Compatibility: Tested up to WordPress 6.7.1

1.0.0

  • Initial release

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Support

Got something to say? Need help?

View support forum