Description
Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP SMS plugin versions up to 7.2.1 contain a flaw that allows unauthorized disclosure of subscriber data, classified as a CWE-288 vulnerability. An attacker can obtain personal information stored for each subscriber, potentially compromising privacy and violating data protection requirements. The impact is a loss of confidentiality of subscriber records that could be used for more damaging attacks if combined with other exploits.

Affected Systems

Any WordPress site using the WP SMS plugin from VeronaLabs with a version of 7.2.1 or older. The vulnerability affects the plugin handling subscriber data in the WordPress administration environment.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. It is not listed in CISA’s KEV catalog. The attack vector is inferred to require access to the plugin’s backend or to exploit a publicly exposed endpoint that returns subscriber data. An authenticated administrator user or one with sufficient privileges to query the plugin endpoints may be able to trigger the disclosure.

Generated by OpenCVE AI on June 16, 2026 at 20:41 UTC.

Remediation

Vendor Solution

Update the WordPress WP SMS Plugin to the latest available version (at least 7.2.2).

OpenCVE Recommended Actions

  • Update the WP SMS plugin to version 7.2.2 or later as accepted by VeronaLabs.
  • If updating is not immediately feasible, disable or uninstall the WP SMS plugin to eliminate the vulnerable functionality until a patch is applied.
  • Review WordPress role and permission settings to ensure that only administrators can access subscriber data, and restrict any public API endpoints that could expose that data.

Generated by OpenCVE AI on June 16, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs wp Sms
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs wp Sms
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.
Title WordPress WP SMS plugin <= 7.2.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Veronalabs Wp Sms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:28:39.932Z

Reserved: 2026-04-15T09:20:46.956Z

Link: CVE-2026-40790

cve-icon Vulnrichment

Updated: 2026-06-16T01:28:35.412Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:51.297

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel