CVE-2026-25343

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.4

CVSS Score

4.4

CVSS Score

medium

Severity

7.1.1

Patched in

17d

Time to patch

Description

The WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=7.1

PublishedFebruary 10, 2026

Last updatedFebruary 26, 2026

Affected pluginwp-sms

What Changed in the Fix

Changes introduced in v7.1.1

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v7.1

Browse source Download .zip

Patched v7.1.1

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan: CVE-2026-25343 (WSMS - Stored XSS) ## 1. Vulnerability Summary The **WSMS (WP SMS)** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to and including **7.1**. The vulnerability exists within the **Outbox** administrative inter…

Show full research plan

Exploitation Research Plan: CVE-2026-25343 (WSMS - Stored XSS)

1. Vulnerability Summary

The WSMS (WP SMS) plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 7.1. The vulnerability exists within the Outbox administrative interface, specifically in the Outbox_List_Table class.

The plugin fails to sanitize or escape the sender and response fields retrieved from the database before displaying them in the WordPress admin dashboard. This allows an authenticated administrator (or anyone with access to plugin settings) to inject malicious JavaScript. In environments where unfiltered_html is disabled (like WordPress Multi-site), this allows an escalation of privilege from a restricted Administrator to a full execution context within the browser of any user (including Super Admins) viewing the SMS Outbox.

2. Attack Vector Analysis

Vulnerable Page: wp-admin/admin.php?page=wp-sms-outbox
Injection Point 1 (Sender): The sender field in the {prefix}sms_send table. This is populated by the sender_number setting in the plugin options.
Injection Point 2 (API Response): The response field in the {prefix}sms_send table. This is populated by the raw response body received from an SMS gateway.
Authentication: Administrator or higher

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/94c3fb5a-c6bb-447f-9b37-0eadaccbf374?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database