Description
The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Published: 2026-05-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the VatanSMS WP SMS plugin’s handling of the 'page' query parameter, which is not properly sanitized nor escaped before being reflected in the page source. This flaw allows attackers to embed malicious script code that will execute in the browser context of any administrator who follows a crafted link. The injected code can steal session cookies, perform unwanted actions on behalf of the admin, or facilitate further attacks against the site, thereby compromising confidentiality, integrity, and availability for the targeted WordPress installation.

Affected Systems

WordPress sites that have the VatanSMS WP SMS plugin installed, at version 1.01 or earlier, provided by vatanyazilim.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited evidence of exploitation in the wild. However, given that the flaw can be triggered by simply enticing an administrator to click a link containing user supplied input, attackers can readily exploit the issue in environments where users do not perform rigorous link verification. The attack path requires no privileged access and relies only on social engineering, meaning that the risk to any site where administrators are likely to click suspicious links is high.

Generated by OpenCVE AI on May 20, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VatanSMS WP SMS plugin to the latest version (1.02 or higher) to eliminate the reflected XSS vector.
  • If an upgrade is not immediately possible, consider removing or disabling the plugin until a patch is applied to prevent exposure.
  • Ensure administrators are trained to recognize suspicious links and implement web‑app firewall rules that reject or neutralize scripts embedded in the 'page' parameter.

Generated by OpenCVE AI on May 20, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Vatanyazilim
Vatanyazilim vatansms Wp Sms
Wordpress
Wordpress wordpress
Vendors & Products Vatanyazilim
Vatanyazilim vatansms Wp Sms
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Title VatanSMS WP SMS <= 1.01 - Reflected Cross-Site Scripting via 'page' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Vatanyazilim Vatansms Wp Sms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T14:10:42.513Z

Reserved: 2026-04-29T18:12:50.624Z

Link: CVE-2026-7462

cve-icon Vulnrichment

Updated: 2026-05-20T14:10:29.676Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:39.260

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-7462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:24Z

Weaknesses