CVE-2022-50960

Vulnerability

Overview The WordPress plugin "International Sms For Contact Form 7 Integration" version 1.2 contains a reflected cross-site scripting (XSS) vulnerability in the page parameter of its admin settings interface. The flaw resides in the file class-sms-log-display.php, where user-supplied input is not properly sanitized before being reflected in the page output [1]. This allows an attacker to inject arbitrary HTML and JavaScript.

Exploitation

An attacker can craft a malicious URL containing a page parameter with a JavaScript payload, such as http://example.com/wp-content/plugins/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page=<script>alert("XSS")</script> [3]. The attack requires the victim to be an authenticated administrator and to click on the crafted link. No other privileges are needed, and the attack is reflected (non-persistent).

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This could lead to session hijacking, defacement, or further compromise of the WordPress installation by performing administrative actions on behalf of the victim.

Mitigation

The plugin has been closed as of August 9, 2021, due to a security issue [2]. No patched version is available; users are advised to remove the plugin and seek alternative solutions. The vulnerability is listed in the Exploit Database [3] and may be actively targeted.