Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS wp-sms allows DOM-Based XSS.This issue affects WP SMS: from n/a through <= 7.1.
Published: 2026-02-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (DOM‑based)
Action: Apply patch
AI Analysis

Impact

The vulnerability is a DOM‑based cross‑site scripting flaw that allows attackers to inject malicious JavaScript into the victim’s browser context. By exploiting improper neutralization of input during page generation, an attacker can influence the content of the page presented to a user, potentially leading to credential theft, session hijacking, or defacement. The weakness is identified as a classic input handling issue (CWE‑79).

Affected Systems

VeronaLabs WP SMS plugin for WordPress, versions up to and including 7.1, is affected. Users running any WP SMS installation with a version number 7.1 or lower are exposed.

Risk and Exploitability

The CVSS score of 5.9 classifies it as a medium severity vulnerability. The EPSS score is reported as less than 1%, indicating a very low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Although no explicit attack surface is detailed in the description, the likely vector involves an attacker controlling or influencing input that is reflected into the DOM, such as URLs or form fields. Exploitation would require the victim to visit a crafted page or interact with a manipulated interface provided by the plugin. The lack of a local‑only restriction suggests that remote attackers could trigger it by targeting vulnerable sites directly.

Generated by OpenCVE AI on April 16, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress WP SMS plugin to the latest available version (>=7.2) where the XSS flaw has been fixed.
  • If upgrading is not immediately possible, restrict or sanitize all user‑controlled input that is rendered by the plugin, ensuring it is properly encoded before insertion into the DOM.
  • Implement a Content Security Policy (CSP) that limits inline scripting and disallows execution of unknown scripts in the context of the WP SMS plugin to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 16, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs wp Sms
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs wp Sms
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS wp-sms allows DOM-Based XSS.This issue affects WP SMS: from n/a through <= 7.1.
Title WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Veronalabs Wp Sms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:49.359Z

Reserved: 2026-02-02T12:52:37.308Z

Link: CVE-2026-25343

cve-icon Vulnrichment

Updated: 2026-02-20T15:59:06.611Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:18.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses