Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc 6.1.4

  • Severity: medium-risk
  • Status: Open
  • Publication: May 15, 2023

The WP SMS plugin for WordPress, up to and including version 6.1.4, is vulnerable to a type of attack called Reflected Cross-Site Scripting. This type of attack happens when an attacker injects malicious code into a website. In this case, the malicious code is injected through a parameter called ‘delete_mobile’ on the plugin. When a user visits a page with the injected code, the malicious code will execute, potentially allowing the attacker to access the user’s information. To prevent this type of attack, it is important to ensure that input is sanitized and output is escaped.

Detected in:

WP SMS – Messaging, SMS & MMS Notifications, 2FA & OTP for WordPress, WooCommerce, GravityForms, etc fixed vulnerable versions:
WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More fixed vulnerable versions:
WP SMS – Ultimate SMS & MMS Notifications, OTP, 2FA, and WooCommerce & Forms Integrations fixed vulnerable versions:
WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce fixed vulnerable versions:
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc open vulnerable versions: >= * <= 6.1.4

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.