{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28136", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:18.579Z", "datePublished": "2026-02-26T08:33:36.839Z", "dateUpdated": "2026-04-28T16:15:09.344Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-sms", "product": "WP SMS", "vendor": "VeronaLabs", "versions": [{"changes": [{"at": "7.0", "status": "unaffected"}], "lessThanOrEqual": "6.9.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:46.114Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.<p>This issue affects WP SMS: from n/a through <= 6.9.12.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:09.344Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-sms/vulnerability/wordpress-wp-sms-plugin-6-9-12-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress WP SMS plugin <= 6.9.12 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:54:29.103423Z", "id": "CVE-2026-28136", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:38:06.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28136", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:54:29.103423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:54:23.364Z"}}], "cna": {"title": "WordPress WP SMS plugin <= 6.9.12 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VeronaLabs", "product": "WP SMS", "versions": [{"status": "affected", "changes": [{"at": "7.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.9.12"}], "packageName": "wp-sms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:51:46.114Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-sms/vulnerability/wordpress-wp-sms-plugin-6-9-12-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.<p>This issue affects WP SMS: from n/a through <= 6.9.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:56.683Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28136", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:38:06.071Z", "dateReserved": "2026-02-25T12:14:18.579Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-26T08:33:36.839Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en VeronaLabs WP SMS wp-sms permite la inyecci\u00f3n SQL. Este problema afecta a WP SMS: desde n/a hasta &lt;= 6.9.12."}], "id": "CVE-2026-28136", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-26T09:16:15.363", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-sms/vulnerability/wordpress-wp-sms-plugin-6-9-12-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP SMS", "source": "cna", "vendor": "VeronaLabs"}, "product": "wp_sms", "vendor": "veronalabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T16:07:06.919664+00:00", "value": {"mitigation_remediation": ["Disable or remove the WP SMS plugin from the site to eliminate the vulnerable code path", "Ensure that the database user associated with the WordPress installation has the least privilege necessary, restricting potential damage if an injection occurs", "Check the VeronaLabs WP SMS plugin vendor page or official repository for a new release or advisory, and apply any available update as soon as it becomes available"], "summary": {"action": "Patch Immediately", "impact": "SQL Injection leading to unauthorized data access or manipulation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the WP SMS plugin installed and running a version no higher than 6.9.12 are vulnerable. The plugin is developed by VeronaLabs and is commonly used to send SMS notifications from WordPress sites.", "description_and_impact": "An improper neutralization of special elements in SQL commands has been identified in VeronaLabs WP SMS plugin up through version 6.9.12. The flaw allows an attacker to inject arbitrary SQL statements into the database. If exploited, the attacker could read, modify, or delete site data, including user credentials and messages, potentially compromising the integrity and confidentiality of the WordPress site. This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.6, indicating high severity. The EPSS score of less than 1% suggests a low current probability of exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, via the plugin\u2019s web interfaces, and the attacker would need to construct a malicious input that the plugin passes directly to the database. No authentication requirement is explicitly stated, but the plugin\u2019s typical use within site administration makes it plausible that an authenticated site administrator could execute the attack more easily."}}}}, "created": "2026-02-26T13:09:30.776795+00:00", "updated": "2026-04-16T16:15:08.465583+00:00", "vendors": ["veronalabs", "veronalabs$PRODUCT$wp_sms", "wordpress", "wordpress$PRODUCT$wordpress"]}