Title: SMSTunnel
Author: nicunarcisbodea
Published: <strong>April 6, 2026</strong>
Last modified: April 6, 2026

---

Search plugins

![](https://ps.w.org/smstunnel/assets/icon.svg?rev=3500086)

# SMSTunnel

 By [nicunarcisbodea](https://profiles.wordpress.org/nicunarcisbodea/)

[Download](https://downloads.wordpress.org/plugin/smstunnel.1.0.6.zip)

 * [Details](https://wordpress.org/plugins/smstunnel/#description)
 * [Reviews](https://wordpress.org/plugins/smstunnel/#reviews)
 *  [Installation](https://wordpress.org/plugins/smstunnel/#installation)
 * [Development](https://wordpress.org/plugins/smstunnel/#developers)

 [Support](https://wordpress.org/support/plugin/smstunnel/)

## Description

SMSTunnel transforms your Android phone into a powerful SMS gateway for WordPress.

#### Key Features

 * Use Your Own Phone – No third-party SMS gateway costs
 * Two-Factor Authentication – Secure WordPress login with SMS 2FA
 * End-to-End Encryption – Messages encrypted with RSA keys
 * Quick Setup – Scan QR code from the mobile app

### External Services

This plugin connects to external services to provide certain functionality. Below
are the details of each service:

#### SMSTunnel API

 * **Purpose**: Core service that enables the plugin to communicate with the SMSTunnel
   mobile app for sending SMS messages from your phone
 * **When data is sent**: During Quick Setup (when pairing via QR code), when sending
   SMS messages, and when verifying API connections
 * **Data sent**:
    - During setup: Site URL, site token (random identifier), admin email (for account
      creation)
    - When sending SMS: Phone number, message content (encrypted if E2E is enabled),
      API key for authentication
 * **Service provider**: SMSTunnel.io (NARBOWEB SRL)
 * **Privacy Policy**: https://smstunnel.io/privacy
 * **Terms of Service**: https://smstunnel.io/terms

#### SMSTunnel Authentication

 * **Purpose**: Optional sign-in via Google, Facebook, or email to link your SMSTunnel
   account with WordPress
 * **When data is sent**: Only when the admin uses the “Connect with Google/Facebook/
   Email” options on the plugin settings page
 * **Data sent**:
    - Google/Facebook: Redirects to smstunnel.io/auth/google or smstunnel.io/auth/
      facebook with a callback URL and CSRF state token
    - Email login: Email and password sent to smstunnel.io/api/v1/auth/login
    - After authentication: Fetches user profile from smstunnel.io/auth/me and creates
      an API key via smstunnel.io/api/v1/api-keys
 * **Service provider**: SMSTunnel.io (NARBOWEB SRL)
 * **Privacy Policy**: https://smstunnel.io/privacy
 * **Terms of Service**: https://smstunnel.io/terms

**Note**: QR codes are generated locally using an embedded JavaScript library (qrcode.
min.js). No external QR code generation services are used. All SMS messages are 
sent through your own Android phone – the SMSTunnel server only acts as a relay 
to connect WordPress with your phone.

## Installation

 1. Upload the plugin to /wp-content/plugins/
 2. Activate the plugin
 3. Go to SMSTunnel > Quick Setup
 4. Download the SMSTunnel app and scan the QR code

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“SMSTunnel” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ nicunarcisbodea ](https://profiles.wordpress.org/nicunarcisbodea/)
 *   [ narcisbodea ](https://profiles.wordpress.org/narcisbodea/)

[Translate “SMSTunnel” into your language.](https://translate.wordpress.org/projects/wp-plugins/smstunnel)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/smstunnel/), check 
out the [SVN repository](https://plugins.svn.wordpress.org/smstunnel/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/smstunnel/) by [RSS](https://plugins.trac.wordpress.org/log/smstunnel/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.6

 * Security: Added nonce validation (check_ajax_referer) to all nopriv AJAX endpoints
   including 2FA login and phone setup
 * Security: Fixed DOM XSS in quick-setup.js, social-login.js, and admin-settings.
   js – all server/URL data now uses .text() instead of .html()
 * Security: Escaped all remaining unescaped outputs in SMS history table
 * Security: API key verification now uses X-API-Key header and configurable server
   URL (consistent with rest of plugin)
 * Fix: Corrected AJAX action name mismatch for API key verification
 * Documentation: Added SMSTunnel Authentication section to External Services (auth
   endpoints)

#### 1.0.5

 * Security: Moved all inline JavaScript to external files using wp_enqueue_script
   and wp_localize_script
 * Security: Added OAuth state parameter validation to prevent CSRF attacks on OAuth
   callback
 * Security: REST API /setup-callback now validates site_token in permission_callback
   instead of callback body
 * Security: Removed all wp_add_inline_script calls – all scripts now in external.
   js files
 * Code: Added $request parameter to all REST API permission_callback methods for
   PHP 8+ compatibility

#### 1.0.4

 * Documentation: Updated External Services section with complete service documentation

#### 1.0.3

 * Security: Replaced __return_true with documented custom permission_callback methods

#### 1.0.2

 * Security: Replaced inline scripts with wp_add_inline_script for proper enqueueing
 * Security: Fixed XSS vulnerabilities by using textContent instead of innerHTML
   for server responses
 * Security: Removed external QR code generation services (Google Charts, QR Server
   API) – all QR codes now generated locally
 * Security: Improved escaping for all JavaScript strings using esc_js()
 * Documentation: Updated External Services section to accurately reflect service
   usage

#### 1.0.1

 * Security: Added sanitization callbacks for all settings
 * Security: Fixed escape output for translatable strings
 * Security: Database queries now use prepared statements
 * Security: Changed wp_redirect to wp_safe_redirect
 * Security: Changed mt_rand to wp_rand
 * Compatibility: Tested up to WordPress 6.7.1

#### 1.0.0

 * Initial release

## Meta

 *  Version **1.0.6**
 *  Last updated **5 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.0 or higher **
 *  Tested up to **6.9.4**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [2FA](https://wordpress.org/plugins/tags/2fa/)[gateway](https://wordpress.org/plugins/tags/gateway/)
   [Notifications](https://wordpress.org/plugins/tags/notifications/)[sms](https://wordpress.org/plugins/tags/sms/)
   [two factor authentication](https://wordpress.org/plugins/tags/two-factor-authentication/)
 *  [Advanced View](https://wordpress.org/plugins/smstunnel/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/smstunnel/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/smstunnel/reviews/)

## Contributors

 *   [ nicunarcisbodea ](https://profiles.wordpress.org/nicunarcisbodea/)
 *   [ narcisbodea ](https://profiles.wordpress.org/narcisbodea/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/smstunnel/)