Is WordPress affected by CVE-2026-28136?

A SQL injection vulnerability in the WP SMS plugin (versions through 6.9.12) poses a direct threat to WordPress environments using this plugin, potentially allowing attackers to access, modify, or delete sensitive database records including customer data and communications logs.

CVE-2026-28136

Q: How to fix CVE-2026-28136?

Within 24 hours: Audit all WordPress instances for WP SMS plugin installation and version; disable the plugin if not actively required or isolate affected systems from public internet access. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the WP SMS plugin parameters; document all affected systems and notify stakeholders of the risk. Within 30 days: Monitor vendor communications for patch availability and establish a deployment plan; evaluate alternative SMS plugins or custom solutions if VeronaLabs does not release a timely patch.

HIGH

2026-02-26 [email protected]

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 26, 2026 - 09:16 nvd

HIGH 7.6

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12.

Analysis

The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. …

Remediation

Within 24 hours: Audit all WordPress instances for WP SMS plugin installation and version; disable the plugin if not actively required or isolate affected systems from public internet access. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the WP SMS plugin parameters; document all affected systems and notify stakeholders of the risk. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-28136 vulnerability details – vuln.today

Back

CVE-2026-28136

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28136

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code