[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flv33XjlzFA0RjCyj2Zf1xG9vZ0AN_fssMe9gG05TGUY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40790","wsms-formerly-wp-sms-sms-mms-notifications-with-otp-and-2fa-for-woocommerce-authenticated-subscriber-information-exposur","WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce \u003C= 7.2.1 - Authenticated (Subscriber+) Information Exposure","The WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","wp-sms",null,"\u003C=7.2.1","7.2.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-23 00:00:00","2026-04-30 15:08:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd7274e11-dcd4-471b-bfaf-ae90d0e4d7e6?source=api-prod",8,[22,23,24,25,26,27,28,29],"includes\u002Fadmin\u002Fsettings\u002Fclass-wpsms-settings.php","includes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-admin-notices.php","includes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php","includes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php","includes\u002Fclass-wpsms-newsletter.php","includes\u002Fclass-wpsms-rest-api.php","includes\u002Ftemplates\u002Fsubscribe-form.php","languages\u002Fwp-sms.pot","researched",false,3,"# Research Plan: CVE-2026-40790 - WSMS (WP SMS) Information Exposure\n\n## Vulnerability Summary\nThe **WSMS (formerly WP SMS)** plugin for WordPress (versions \u003C= 7.2.1) contains a sensitive information exposure vulnerability. The plugin's REST API endpoints, specifically those under the `wpsms\u002Fv1` namespace, do not properly restrict access to authenticated users with low-level privileges (Subscriber role). This allows an attacker to extract sensitive data, including the SMS outbox (sent messages, recipient numbers, and content) and the subscriber list (names and phone numbers).\n\nThe vulnerability exists because the custom capabilities checked in the `permission_callback` of the REST routes (e.g., `wpsms_subscribers` and `wpsms_outbox`) are either granted to the Subscriber role by default in affected versions or the permission checks themselves were improperly implemented (e.g., defaulting to `is_user_logged_in` or lacking proper capability enforcement in the 7.2.1 source).\n\n## Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fwpsms\u002Fv1\u002Fsubscribers` and `\u002Fwp-json\u002Fwpsms\u002Fv1\u002Foutbox`\n- **Method:** `GET`\n- **Authentication:** Authenticated (Subscriber level and above).\n- **Sensitive Data Exposed:** \n    - **Subscribers:** Full names, mobile phone numbers, registration dates, and group IDs.\n    - **Outbox:** Sent","The WSMS (WP SMS) plugin for WordPress exposes sensitive information, including subscriber phone numbers and the SMS outbox, to authenticated users with low-privileged roles such as Subscriber. This occurs because the REST API endpoints for managing subscribers and outbox logs rely on custom capabilities that are incorrectly granted to the Subscriber role in vulnerable versions.","\u002F\u002F includes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php line 115\n    public function checkPermission()\n    {\n        return current_user_can('wpsms_outbox');\n    }\n\n---\n\n\u002F\u002F includes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php line 204\n    public function checkPermission()\n    {\n        return current_user_can('wpsms_subscribers');\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.1\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.2\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.1\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php\t2026-03-08 08:32:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.2\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-outbox.php\t2026-04-09 06:53:58.000000000 +0000\n@@ -177,7 +177,8 @@\n     public function getItems(WP_REST_Request $request)\n     {\n         $page      = $request->get_param('page');\n-        $per_page  = min($request->get_param('per_page'), 100);\n+        $max_per_page = apply_filters('wp_sms_max_per_page', 100);\n+        $per_page  = min($request->get_param('per_page'), $max_per_page);\n         $search    = $request->get_param('search');\n         $status    = $request->get_param('status');\n         $date_from = $request->get_param('date_from');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.1\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.2\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.1\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php\t2026-03-08 08:32:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-sms\u002F7.2.2\u002Fincludes\u002Fapi\u002Fv1\u002Fclass-wpsms-api-subscribers.php\t2026-04-09 06:53:58.000000000 +0000\n@@ -255,7 +256,8 @@\n     public function getItems(WP_REST_Request $request)\n     {\n         $page         = $request->get_param('page');\n-        $per_page     = min($request->get_param('per_page'), 100);\n+        $max_per_page = apply_filters('wp_sms_max_per_page', 100);\n+        $per_page     = min($request->get_param('per_page'), $max_per_page);\n         $search       = $request->get_param('search');\n         $group_id     = $request->get_param('group_id');\n         $status       = $request->get_param('status');","To exploit this vulnerability, an attacker must first obtain any authenticated session (such as the Subscriber role). The attacker then sends a GET request to the plugin's REST API endpoints: `\u002Fwp-json\u002Fwpsms\u002Fv1\u002Fsubscribers` for user data or `\u002Fwp-json\u002Fwpsms\u002Fv1\u002Foutbox` for SMS logs. Because the `permission_callback` checks for capabilities (`wpsms_subscribers` or `wpsms_outbox`) that are incorrectly assigned to low-privileged users, the server will return a JSON response containing sensitive information including full names, mobile phone numbers, and the content of sent SMS messages.","gemini-3-flash-preview","2026-05-04 18:45:56","2026-05-04 18:46:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","7.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-sms\u002Ftags\u002F7.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-sms.7.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-sms\u002Ftags\u002F7.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-sms.7.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-sms\u002Ftags"]