WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce <= 7.2.1 - Authenticated (Subscriber+) Information Exposure
Description
The WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v7.2.2
Source Code
WordPress.org SVN# Research Plan: CVE-2026-40790 - WSMS (WP SMS) Information Exposure ## Vulnerability Summary The **WSMS (formerly WP SMS)** plugin for WordPress (versions <= 7.2.1) contains a sensitive information exposure vulnerability. The plugin's REST API endpoints, specifically those under the `wpsms/v1` nam…
Show full research plan
Research Plan: CVE-2026-40790 - WSMS (WP SMS) Information Exposure
Vulnerability Summary
The WSMS (formerly WP SMS) plugin for WordPress (versions <= 7.2.1) contains a sensitive information exposure vulnerability. The plugin's REST API endpoints, specifically those under the wpsms/v1 namespace, do not properly restrict access to authenticated users with low-level privileges (Subscriber role). This allows an attacker to extract sensitive data, including the SMS outbox (sent messages, recipient numbers, and content) and the subscriber list (names and phone numbers).
The vulnerability exists because the custom capabilities checked in the permission_callback of the REST routes (e.g., wpsms_subscribers and wpsms_outbox) are either granted to the Subscriber role by default in affected versions or the permission checks themselves were improperly implemented (e.g., defaulting to is_user_logged_in or lacking proper capability enforcement in the 7.2.1 source).
Attack Vector Analysis
- Endpoint:
/wp-json/wpsms/v1/subscribersand/wp-json/wpsms/v1/outbox - Method:
GET - Authentication: Authenticated (Subscriber level and above).
- Sensitive Data Exposed:
- Subscribers: Full names, mobile phone numbers, registration dates, and group IDs.
- Outbox: Sent
Summary
The WSMS (WP SMS) plugin for WordPress exposes sensitive information, including subscriber phone numbers and the SMS outbox, to authenticated users with low-privileged roles such as Subscriber. This occurs because the REST API endpoints for managing subscribers and outbox logs rely on custom capabilities that are incorrectly granted to the Subscriber role in vulnerable versions.
Vulnerable Code
// includes/api/v1/class-wpsms-api-outbox.php line 115 public function checkPermission() { return current_user_can('wpsms_outbox'); } --- // includes/api/v1/class-wpsms-api-subscribers.php line 204 public function checkPermission() { return current_user_can('wpsms_subscribers'); }
Security Fix
@@ -177,7 +177,8 @@ public function getItems(WP_REST_Request $request) { $page = $request->get_param('page'); - $per_page = min($request->get_param('per_page'), 100); + $max_per_page = apply_filters('wp_sms_max_per_page', 100); + $per_page = min($request->get_param('per_page'), $max_per_page); $search = $request->get_param('search'); $status = $request->get_param('status'); $date_from = $request->get_param('date_from'); @@ -255,7 +256,8 @@ public function getItems(WP_REST_Request $request) { $page = $request->get_param('page'); - $per_page = min($request->get_param('per_page'), 100); + $max_per_page = apply_filters('wp_sms_max_per_page', 100); + $per_page = min($request->get_param('per_page'), $max_per_page); $search = $request->get_param('search'); $group_id = $request->get_param('group_id'); $status = $request->get_param('status');
Exploit Outline
To exploit this vulnerability, an attacker must first obtain any authenticated session (such as the Subscriber role). The attacker then sends a GET request to the plugin's REST API endpoints: `/wp-json/wpsms/v1/subscribers` for user data or `/wp-json/wpsms/v1/outbox` for SMS logs. Because the `permission_callback` checks for capabilities (`wpsms_subscribers` or `wpsms_outbox`) that are incorrectly assigned to low-privileged users, the server will return a JSON response containing sensitive information including full names, mobile phone numbers, and the content of sent SMS messages.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.