WP Beacon

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

wp-sms · by veronalabs · wordpress.org ↗ · SVN ↗
Active installs
7k+
Current version
7.2.4
Added
2012-03-12
Last updated
2026-04-15 (17d ago)
First seen by beacon
11d ago
Total downloads
743,383

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:29 (2d ago)
Slugwp-sms
Patternhardcoded_ip_url
Kindbuiltin
Version7.2.4
Hit count7
First hit
File
includes/gateways/class-wpsms-gateway-onlinepanel.php
Line
9
Snippet
private $wsdl_link = "http://87.107.121.52/post/send.asmx?WSDL";
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "wp-sms",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "7.2.4",
    "hit_count": 7,
    "first_hit": {
        "file": "includes/gateways/class-wpsms-gateway-onlinepanel.php",
        "line": 9,
        "snippet": "private $wsdl_link = \"http://87.107.121.52/post/send.asmx?WSDL\";"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

SVN committers (2)

Accounts with actual commit access to wp-sms on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Mostafa Soufi 2009-03-30 461 2012-03-12 · r517840 2026-04-15 · r3506622
plugin-master 2007-03-09 1 2012-02-06 · r500989 2012-02-06 · r500989

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Mostafa Soufi 2009-03-30 Active
Navid Kashani 2008-11-01 Active
VeronaLabs 2020-10-27 Active

Versions (100 most recent)

Version Released Download
7.2.4 2026-04-15 · 17d ago zip
7.2.3 2026-04-09 · 23d ago zip
7.2.2 2026-04-09 · 23d ago zip
7.2.1 2026-03-17 · 1mo ago zip
7.2 2026-03-08 · 1mo ago zip
7.1.1 2026-01-28 · 3mo ago zip
7.1 2025-12-16 · 4mo ago zip
7.0.10 2025-12-01 · 5mo ago zip
7.0.9 2025-11-26 · 5mo ago zip
7.0.8 2025-11-23 · 5mo ago zip
7.0.7 2025-11-23 · 5mo ago zip
7.0.6 2025-11-19 · 5mo ago zip
7.0.5 2025-11-13 · 5mo ago zip
7.0.4 2025-11-02 · 6mo ago zip
7.0.3 2025-09-16 · 7mo ago zip
7.0.2 2025-08-18 · 8mo ago zip
7.0.1 2025-08-18 · 8mo ago zip
7.0 2025-07-09 · 9mo ago zip
6.9.12 2025-03-31 · 1y ago zip
6.9.11 2025-02-25 · 1y ago zip
6.9.10 2025-01-22 · 1y ago zip
6.9.9 2024-12-23 · 1y ago zip
6.9.8 2024-11-24 · 1y ago zip
6.9.7 2024-10-27 · 1y ago zip
6.9.6 2024-09-30 · 1y ago zip
6.9.5 2024-09-18 · 1y ago zip
6.9.4.1 2024-08-21 · 1y ago zip
6.9.4 2024-08-21 · 1y ago zip
6.9.3 2024-07-30 · 1y ago zip
6.9.2 2024-06-24 · 1y ago zip
6.9.1 2024-05-31 · 1y ago zip
6.9 2024-05-12 · 1y ago zip
6.8.1 2024-04-08 · 2y ago zip
6.8 2024-04-07 · 2y ago zip
6.7.1 2024-03-20 · 2y ago zip
6.7 2024-03-16 · 2y ago zip
6.6.3 2024-03-13 · 2y ago zip
6.6.2 2024-03-12 · 2y ago zip
6.6.1 2024-03-08 · 2y ago zip
6.6 2024-03-06 · 2y ago zip
6.5.5 2024-02-27 · 2y ago zip
6.5.4 2024-02-11 · 2y ago zip
6.5.3 2024-01-17 · 2y ago zip
6.5.2 2024-01-10 · 2y ago zip
6.5.1 2023-12-28 · 2y ago zip
6.5 2023-12-19 · 2y ago zip
6.4.2 2023-12-03 · 2y ago zip
6.4.1 2023-11-19 · 2y ago zip
6.4 2023-11-13 · 2y ago zip
6.3.4 2023-10-17 · 2y ago zip
6.3.3 2023-10-08 · 2y ago zip
6.3.2 2023-09-27 · 2y ago zip
6.3.1 2023-09-25 · 2y ago zip
6.3 2023-09-23 · 2y ago zip
6.2.4.1 2023-09-09 · 2y ago zip
6.2.4 2023-09-08 · 2y ago zip
6.2.3 2023-08-10 · 2y ago zip
6.2.2 2023-07-26 · 2y ago zip
6.2.1 2023-07-18 · 2y ago zip
6.2.0.2 2023-07-09 · 2y ago zip
6.2.0.1 2023-07-08 · 2y ago zip
6.2.0 2023-07-04 · 2y ago zip
6.1.5 2023-05-13 · 2y ago zip
6.1.4 2023-04-16 · 3y ago zip
6.1.3 2023-04-01 · 3y ago zip
6.1.2 2023-03-21 · 3y ago zip
6.1.1 2023-03-14 · 3y ago zip
6.1 2023-03-12 · 3y ago zip
6.0.4.1 2023-03-02 · 3y ago zip
6.0.4 2023-02-03 · 3y ago zip
6.0.3 2023-01-28 · 3y ago zip
6.0.2 2023-01-23 · 3y ago zip
6.0.1 2023-01-21 · 3y ago zip
6.0 2023-01-21 · 3y ago zip
5.9.1 2022-12-18 · 3y ago zip
5.9 2022-12-13 · 3y ago zip
5.8.5 2022-11-23 · 3y ago zip
5.8.4 2022-11-06 · 3y ago zip
5.8.3 2022-10-23 · 3y ago zip
5.8.2 2022-09-17 · 3y ago zip
5.8.1 2022-09-16 · 3y ago zip
5.8.0 2022-09-11 · 3y ago zip
5.7.9 2022-08-19 · 3y ago zip
5.7.8 2022-08-05 · 3y ago zip
5.7.7 2022-07-17 · 3y ago zip
5.7.6 2022-07-04 · 3y ago zip
5.7.5.1 2022-06-16 · 3y ago zip
5.7.5 2022-06-12 · 3y ago zip
5.7.4 2022-05-25 · 3y ago zip
5.7.3.1 2022-05-07 · 3y ago zip
5.7.3 2022-05-05 · 3y ago zip
5.7.2.2 2022-04-24 · 4y ago zip
5.7.2.1 2022-04-15 · 4y ago zip
5.7.2 2022-04-12 · 4y ago zip
5.7.1 2022-03-16 · 4y ago zip
5.7 2022-03-07 · 4y ago zip
5.6.9 2022-02-23 · 4y ago zip
5.6.8.1 2022-02-09 · 4y ago zip
5.6.8 2022-02-02 · 4y ago zip
5.6.7 2022-01-21 · 4y ago zip