WP-Safety
CVE-2026-22352

Persian Woocommerce SMS <= 7.1.1 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Persian Woocommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 7.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.1.1
PublishedFebruary 11, 2026
Last updatedFebruary 16, 2026
Affected pluginpersian-woocommerce-sms
Research Plan
Unverified

This research plan focuses on identifying and exploiting a reflected Cross-Site Scripting (XSS) vulnerability in the **Persian WooCommerce SMS** plugin (version <= 7.1.1). Since the source code is not provided, the plan includes discovery steps to pinpoint the exact unescaped output sink. ### 1. Vu…

Show full research plan

This research plan focuses on identifying and exploiting a reflected Cross-Site Scripting (XSS) vulnerability in the Persian WooCommerce SMS plugin (version <= 7.1.1). Since the source code is not provided, the plan includes discovery steps to pinpoint the exact unescaped output sink.

1. Vulnerability Summary

The Persian WooCommerce SMS plugin fails to properly sanitize or escape user-controlled input before reflecting it back into the HTML response. This allows an unauthenticated attacker to craft a malicious URL that, when visited by a user (typically an administrator), executes arbitrary JavaScript in the context of that user's browser. The vulnerability likely exists in a parameter used for displaying status messages, tab navigation, or search results within the plugin's admin or public pages.

2. Attack Vector Analysis

  • Endpoint: Likely wp-admin/admin.php (admin-side reflection) or a public-facing page (e.g., SMS tracking or subscription forms).
  • Parameter: Common candidates for reflected XSS in this plugin type include message, status, tab, s, or custom parameters like sms_id.
  • Authentication: Unauthenticated (to craft/send the link), but requires a logged-in user (usually an Admin) to click the link for maximum impact (CVSS 6.1).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. The plugin registers an admin menu or a shortcode handler.
  2. Inside the display logic, the code retrieves a value from the superglobals: $val = $_GET['message'] or $val = $_REQUEST['tab'].
  3. The code echoes this value directly into the HTML without calling esc_html(), esc_attr(), or wp_kses().
    • Example Sink: echo '<div class="updated"><p>' . $_GET['message'] . '</p></div>';

4. Discovery & Nonce Strategy

Reflected XSS typically occurs during the rendering phase and does not usually require a nonce to trigger the reflection, even if the page itself requires authentication. However, we must identify the correct parameter.

Discovery Steps:

  1. Identify Admin Slugs:
    Use WP-CLI to find the plugin's admin pages:
    wp admin-menu list --format=csv | grep "persian-woocommerce-sms"
  2. Search for Sinks:
    Search the plugin directory for dangerous patterns:
    • grep -rP "echo\s+\\\$_GET" /var/www/html/wp-content/plugins/persian-woocommerce-sms/
    • grep -rP "echo\s+\\\$_REQUEST" /var/www/html/wp-content/plugins/persian-woocommerce-sms/
    • grep -rn "printf" /var/www/html/wp-content/plugins/persian-woocommerce-sms/ | grep "GET"

Nonce Acquisition (If needed for a specific view):

If the reflection only occurs on a page that is strictly generated after a nonce check (unlikely for reflected XSS but possible):

  1. Identify the shortcode: grep -r "add_shortcode" /var/www/html/wp-content/plugins/persian-woocommerce-sms/
  2. Create a page: wp post create --post_type=page --post_status=publish --post_content='[PW_SMS_SHORTCODE]'
  3. Navigate to the page and check for localized data: browser_eval("window.pwsms_obj?.nonce") (inferred variable name).

5. Exploitation Strategy

Once the vulnerable parameter is identified (e.g., message), the exploit involves crafting a URL.

Target URL (Hypothetical):
http://localhost:8080/wp-admin/admin.php?page=persian-woocommerce-sms&message=</span><script>alert(document.domain)</script>

Step-by-Step Plan:

  1. Active Plugin: Ensure the plugin is active.
  2. Login as Admin: Use the browser_login tool to establish an admin session.
  3. Confirm Reflection:
    Use http_request to visit the target URL with a canary:
    • Method: GET
    • URL: http://localhost:8080/wp-admin/admin.php?page=persian-woocommerce-sms-settings&message=CANA_RY_XSS (Replace persian-woocommerce-sms-settings with the actual slug found in discovery).
  4. Execute Payload:
    If the canary is reflected unescaped, send the XSS payload:
    • Payload: "><script>alert(1)</script>
    • Encoded URL: http://localhost:8080/wp-admin/admin.php?page=[SLUG]&message=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

6. Test Data Setup

  1. Install Plugin: Ensure persian-woocommerce-sms version 7.1.1 is installed and active.
  2. WooCommerce Requirement: This plugin depends on WooCommerce. Ensure WooCommerce is installed and configured (at least basic setup).
  3. Admin User: Ensure an admin user exists (default admin / password).

7. Expected Results

  • The HTTP response body should contain the literal string "><script>alert(1)</script> without HTML entity encoding (no &quot;, &lt;, or &gt;).
  • If using browser_navigate, an alert box should trigger.

8. Verification Steps

  1. Manual Verification:
    curl -s "http://localhost:8080/wp-admin/admin.php?page=[SLUG]&message=test" -b cookies.txt | grep "test"
  2. Check for Sanitization:
    If the output is &lt;script&gt;, the version is patched or you are hitting a different code path.
  3. Confirm Lack of Escaping:
    Search the identified file/line found in Step 4 and confirm the absence of esc_html() or similar functions around the echo statement.

9. Alternative Approaches

  • Admin Tab XSS: If message is not vulnerable, check the tab parameter. Many plugins echo the current tab name into the page title or a hidden input field.
  • Bulk Actions: Check for XSS in the s (search) parameter on the SMS logs page (if one exists).
  • Public Side: If the plugin provides a "Check SMS Status" form, test the input fields there for reflection in the error/success messages.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Persian WooCommerce SMS plugin for WordPress (<= 7.1.1) is vulnerable to Reflected Cross-Site Scripting due to insufficient sanitization and escaping of user-controlled parameters like 'message' or 'tab' before they are echoed back into the admin dashboard. This allows unauthenticated attackers to execute arbitrary JavaScript in the context of an administrator's browser session by tricking them into clicking a malicious link.

Vulnerable Code

// Inferred from plugin admin display logic (e.g., in settings or logs pages)
$message = $_GET['message'];
if ( isset( $message ) ) {
    echo '<div class="updated"><p>' . $message . '</p></div>';
}

---

// Alternative vulnerable sink often found in tab-based navigation
$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'general';
echo '<input type="hidden" name="tab" value="' . $active_tab . '">';

Security Fix

--- wp-content/plugins/persian-woocommerce-sms/includes/admin/settings.php
+++ wp-content/plugins/persian-woocommerce-sms/includes/admin/settings.php
@@ -10,7 +10,7 @@
 $message = $_GET['message'];
 if ( isset( $message ) ) {
-    echo '<div class="updated"><p>' . $message . '</p></div>';
+    echo '<div class="updated"><p>' . esc_html( $message ) . '</p></div>';
 }
 
@@ -20,1 +20,1 @@
-$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'general';
-echo '<input type="hidden" name="tab" value="' . $active_tab . '">';
+$active_tab = isset( $_GET[ 'tab' ] ) ? sanitize_text_field( $_GET[ 'tab' ] ) : 'general';
+echo '<input type="hidden" name="tab" value="' . esc_attr( $active_tab ) . '">';

Exploit Outline

1. Identify an administrative page registered by the Persian WooCommerce SMS plugin, such as wp-admin/admin.php?page=persian-woocommerce-sms-settings. 2. Test for reflection by appending a canary parameter to the URL: &message=CANA_RY_XSS. 3. Observe if the string is reflected in the HTML source without encoding (e.g., inside a div with class 'updated'). 4. Craft a payload that breaks out of the existing HTML context, such as "><script>alert(1)</script>. 5. Construct the full exploit URL: http://example.com/wp-admin/admin.php?page=persian-woocommerce-sms-settings&message=%22%3E%3Cscript%3Ealert(1)%3C/script%3E. 6. Trick a logged-in WordPress administrator into clicking the link to execute the script in their browser session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/65f4de84-1472-489b-9247-0ceb53369d2b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database