Description
The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().
Published: 2025-04-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Verification SMS with TargetSMS plugin for WordPress contains a failure to properly validate the type of function that can be invoked through the 'targetvr_ajax_handler' endpoint. As a result, unauthenticated attackers can supply an arbitrary callable and cause the server to execute any PHP function, including sensitive functions such as phpinfo(). This vulnerability permits the attacker to run code directly on the site, potentially exposing server details, reading files, or escalating privileges if additional weaknesses exist.

Affected Systems

All instances of the Verification SMS with TargetSMS plugin released by cajka, with affected versions up to and including 1.5. No later versions are mentioned in the data, so the risk applies to every release until 1.5.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity, and the EPSS score of less than 1% suggests a very low exploitation probability at the time of analysis, although the feature is exploitable by any visitor. The vulnerability is not listed in the CISA KEV catalog. Considering the description, the likely attack vector is a remote HTTP request to the AJAX handler with parameters crafted to call a malicious function; this does not require authentication.

Generated by OpenCVE AI on April 21, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Verification SMS with TargetSMS plugin to the latest available version, or apply any vendor-provided patch that addresses the callable function validation issue.
  • If an immediate upgrade is not possible, disable the 'targetvr_ajax_handler' endpoint or restrict it so that only authenticated users can invoke it, for example by adding an authentication check or by configuring .htaccess or a firewall rule to block external access to the AJAX URL.
  • Implement a web application firewall rule that blocks or limits requests to the AJAX endpoint containing arbitrary function names or detect and reject suspicious payloads to mitigate the risk while a permanent fix is applied.

Generated by OpenCVE AI on April 21, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12130 The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().
History

Thu, 24 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().
Title Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:31.207Z

Reserved: 2025-04-17T17:19:49.099Z

Link: CVE-2025-3776

cve-icon Vulnrichment

Updated: 2025-04-24T13:04:05.257Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T09:15:31.890

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses