Login Sign Up

CVE-2023-32742

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the WP SMS plugin. When users view pages containing the injected scripts, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites running WP SMS plugin version 6.1.4 or earlier are affected.

💻 Affected Systems

Products:
  • VeronaLabs WP SMS WordPress Plugin
Versions: <= 6.1.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Wp Sms by Veronalabs

View all CVEs affecting Wp Sms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the WordPress site, install backdoors, deface the site, or steal sensitive data.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or display phishing content.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts are neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.5

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP SMS plugin and click 'Update Now'. 4. Verify plugin version is 6.1.5 or later.

🔧 Temporary Workarounds

Disable WP SMS Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-sms

Implement WAF Rules

all

Add web application firewall rules to block XSS payloads targeting WP SMS endpoints.

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP SMS version <= 6.1.4

Check Version:

wp plugin get wp-sms --field=version

Verify Fix Applied:

Verify WP SMS plugin version is 6.1.5 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing script tags or JavaScript in WP SMS plugin parameters
  • Unusual POST/GET requests to /wp-admin/admin-ajax.php with wp-sms parameters

Network Indicators:

  • Malicious script injection attempts in HTTP requests to WP SMS endpoints

SIEM Query:

source="web_access.log" AND (uri_path="*wp-sms*" OR parameters="*wp-sms*") AND (parameters="*<script>*" OR parameters="*javascript:*" OR parameters="*onload=*" OR parameters="*onerror=*")

📊 Metadata

CVE ID: CVE-2023-32742
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 30, 2023
Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32742, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)