Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc 6.2.0

  • Severity: medium-risk
  • Status: Open
  • Publication: July 7, 2023

The WP SMS plugin for WordPress is vulnerable to a type of attack called Cross-Site Request Forgery in older versions up to and including version 6.1.5. This is because it lacks proper safety measures known as nonce validation on the unSubscriberNumberByUrlAction function. This means that unauthorized attackers could unsubscribe users without their knowledge if they can get a site administrator to perform an action like clicking a link.

Detected in:

WP SMS – Messaging, SMS & MMS Notifications, 2FA & OTP for WordPress, WooCommerce, GravityForms, etc fixed vulnerable versions:
WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More fixed vulnerable versions:
WP SMS – Ultimate SMS & MMS Notifications, OTP, 2FA, and WooCommerce & Forms Integrations fixed vulnerable versions:
WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce fixed vulnerable versions:
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc open vulnerable versions: >= * < 6.2.0

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.