Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable WordPress endpoint exploitable by any subscriber-level account; read-only impact with no integrity or availability consequence justifies C:H/I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.
AnalysisAI
Sensitive SMS subscriber data exposure in the VeronaLabs WP SMS WordPress plugin (versions <= 7.2.1) permits authenticated subscriber-role users to access protected data through an authorization bypass path. The flaw, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables the lowest-privilege WordPress account tier to retrieve sensitive information - likely including phone numbers, message history, or subscriber records - that should be restricted to privileged roles. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA KEV, though the low attack complexity combined with open WordPress registration on many sites meaningfully lowers the real-world exploitation barrier.
Technical ContextAI
WP SMS is a WordPress plugin by VeronaLabs (CPE: cpe:2.3:a:veronalabs:wp_sms:*:*:*:*:*:*:*:*) used for SMS marketing, subscriber management, and notification delivery within WordPress installations. The root cause is CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes a route (likely a REST API endpoint, AJAX handler, or admin-ajax action) that circumvents the WordPress capability-check system ordinarily enforced for privileged data access. WordPress's subscriber role is the lowest-privilege authenticated tier, typically auto-assigned to users who register on public-facing sites. By exploiting the alternate path, a subscriber bypasses the intended role-gating and gains read access to sensitive SMS data. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N confirms this is a network-reachable, low-complexity, read-only exploit with high confidentiality impact and no scope change to adjacent systems.
RemediationAI
Patch available per vendor advisory - administrators should update WP SMS beyond version 7.2.1 immediately; the exact remediation version is not independently confirmed in the available input data and should be verified against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-sms/vulnerability/wordpress-wp-sms-plugin-7-2-1-sensitive-data-exposure-vulnerability before upgrading. As an interim compensating control for sites that cannot patch immediately, disabling open WordPress user registration (Settings > General > uncheck 'Anyone can register') closes the self-registration attack path for external actors, though it does not protect against insider threats or existing subscriber accounts and will prevent new public registrations. Auditing existing subscriber-role user accounts for unauthorized entries is also advisable. Temporarily deactivating the WP SMS plugin eliminates the vulnerable attack surface entirely but suspends all SMS functionality. Do not rely on network-perimeter controls alone, as PR:L exploitation requires only a valid session token accessible over standard HTTPS.
Missing Authorization vulnerability in VeronaLabs WP SMS.9.3. Rated critical severity (CVSS 9.8), this vulnerability is
The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in t
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS - Messaging & SMS Notifica
Cross-Site Request Forgery (CSRF) vulnerability in VeronaLabs WP SMS.6.2. Rated medium severity (CVSS 4.3), this vulnera
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36993
GHSA-3rq6-78wc-q47c