Description
WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the page parameter of the admin settings interface of WordPress International SMS for Contact Form 7 Integration version 1.2. Attackers can inject malicious scripts via the page parameter in class‑sms‑log‑display.php, which causes arbitrary JavaScript to execute in an administrator’s browser. A crafted URL containing malicious payloads can be delivered to a logged‑in administrator, enabling the attacker to manipulate the site’s interface, steal session cookies or credentials, or perform other client‑side attacks.

Affected Systems

The affected product is the WordPress plugin International Sms For Contact Form by Varun Sridharan. The vulnerability exists in version 1.2 of the plugin.

Risk and Exploitability

The vulnerability is a CWE‑79 reflected XSS flaw. The CVSS score of 5.1 indicates a moderate severity vulnerability. The EPSS score is < 1 % indicating a very low exploitation probability, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is reflected: an attacker must provide a crafted URL to an administrator who is logged into the WordPress admin panel. Successful exploitation would allow the attacker to execute arbitrary JavaScript within the administrator’s browser session, potentially leading to credential theft, defacement, or other malicious actions.

Generated by OpenCVE AI on May 26, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the International SMS for Contact Form plugin to the latest version that includes the XSS fix
  • If an immediate update is not possible, restrict access to the plugin’s admin settings interface so that only trusted administrators with strong authentication can reach it; consider applying a Web Application Firewall or Content Security Policy to block reflected scripts
  • In the absence of an official patch, modify the handling of the page parameter in class‑sms‑log‑display.php to sanitize or escape the value before outputting it to the page

Generated by OpenCVE AI on May 26, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers. WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Varun Sridharan
Varun Sridharan international Sms For Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Varun Sridharan
Varun Sridharan international Sms For Contact Form
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.
Title WordPress International Sms Contact Form 7 Integration 1.2 XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Varun Sridharan International Sms For Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:51:47.125Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50960

cve-icon Vulnrichment

Updated: 2026-05-11T13:16:01.334Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:33.697

Modified: 2026-05-26T14:16:26.123

Link: CVE-2022-50960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:15:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')