Description
WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE-79 reflected cross‑site scripting flaw located in the admin settings interface of the WordPress International SMS for Contact Form plugin. An attacker can inject malicious JavaScript into the page parameter of class‑sms‑log‑display.php. When an administrator visits a crafted URL containing the malicious payload, the script runs in that administrator’s browser, allowing the attacker to manipulate the site’s interface, steal session cookies or credentials, or perform other client‑side attacks.

Affected Systems

The affected product is the WordPress plugin International Sms For Contact Form by Varun Sridharan. The vulnerability exists in version 1.2 of the plugin.

Risk and Exploitability

The vulnerability is a CWE-79 reflected XSS flaw. The CVSS score of 5.1 indicates a moderate severity vulnerability. No EPSS data is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is reflected: an attacker must provide a crafted URL to an administrator who is logged into the WordPress admin panel. Successful exploitation would allow the attacker to execute arbitrary JavaScript within the administrator’s browser session, potentially leading to credential theft, defacement, or other malicious actions

Generated by OpenCVE AI on May 10, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the International SMS for Contact Form plugin to the latest version that includes the XSS fix
  • If an immediate update is not possible, restrict access to the plugin’s admin settings interface so that only trusted administrators with strong authentication can reach it; consider applying a Web Application Firewall or Content Security Policy to block reflected scripts
  • In the absence of an official patch, modify the handling of the page parameter in class‑sms‑log‑display.php to sanitize or escape the value before outputting it to the page

Generated by OpenCVE AI on May 10, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Varun Sridharan
Varun Sridharan international Sms For Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Varun Sridharan
Varun Sridharan international Sms For Contact Form
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.
Title WordPress International Sms Contact Form 7 Integration 1.2 XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Varun Sridharan International Sms For Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:24:14.670Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50960

cve-icon Vulnrichment

Updated: 2026-05-11T13:16:01.334Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.697

Modified: 2026-05-10T13:16:33.697

Link: CVE-2022-50960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:51Z

Weaknesses