Skip to main content

Wp Sms

9 CVEs product

Monthly

CVE-2026-40790 MEDIUM This Month

Sensitive SMS subscriber data exposure in the VeronaLabs WP SMS WordPress plugin (versions <= 7.2.1) permits authenticated subscriber-role users to access protected data through an authorization bypass path. The flaw, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables the lowest-privilege WordPress account tier to retrieve sensitive information - likely including phone numbers, message history, or subscriber records - that should be restricted to privileged roles. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA KEV, though the low attack complexity combined with open WordPress registration on many sites meaningfully lowers the real-world exploitation barrier.

Information Disclosure Wp Sms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-43331 CRITICAL Act Now

Missing Authorization vulnerability in VeronaLabs WP SMS.9.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Sms
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-34811 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.5.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-30454 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in VeronaLabs WP SMS.6.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wp Sms
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-25920 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.3.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-24881 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS - Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Wp Sms
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-27447 MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS - Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Wp Sms
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2023-32742 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24561 MEDIUM POC This Month

The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Sms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive SMS subscriber data exposure in the VeronaLabs WP SMS WordPress plugin (versions <= 7.2.1) permits authenticated subscriber-role users to access protected data through an authorization bypass path. The flaw, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables the lowest-privilege WordPress account tier to retrieve sensitive information - likely including phone numbers, message history, or subscriber records - that should be restricted to privileged roles. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA KEV, though the low attack complexity combined with open WordPress registration on many sites meaningfully lowers the real-world exploitation barrier.

Information Disclosure Wp Sms
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in VeronaLabs WP SMS.9.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Sms
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.5.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in VeronaLabs WP SMS.6.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wp Sms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS allows Stored XSS.3.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS - Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Wp Sms
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS - Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Wp Sms
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Sms
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Sms
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy