Medium severity6.1NVD Advisory· Published Jan 3, 2024· Updated Apr 8, 2026

CVE-2023-6981

Description

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can leveraged to achieve Reflected Cross-site Scripting.

Affected products

Veronalabs/Wp Sms
cpe:2.3:a:veronalabs:wp_sms:*:*:*:*:free:wordpress:*:*
Range: <6.5.1

Patches

7ad23a0596e8

https://github.com/wp-sms/wp-smsvia osv

6656de201efe

https://github.com/wp-sms/wp-smsvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/wp-sms/wp-sms/commit/6656de201efe67c7983102c344a546eed976a819nvdPatch
plugins.trac.wordpress.org/changesetnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/b8f53053-5150-4fba-b8d6-3d6c9df32c69nvdPatchThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000