CVE-2025-12580
Description
The SMS for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in SMS for WordPress plugin (≤1.1.8) allows unauthenticated attackers to inject arbitrary scripts via the paged parameter.
Vulnerability
Overview The SMS for WordPress plugin, up to and including version 1.1.8, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'paged' parameter. The flaw arises from insufficient input sanitization and output escaping allow attackers to inject arbitrary web scripts into pages [1].
Exploitation
Method An unauthenticated attacker can craft a malicious link containing a specially crafted 'paged' parameter. The attack requires user interaction, such as clicking the link, which then executes the injected script in the context of the victim's browser session [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement of the WordPress site. The vulnerability is rated Medium (CVSS 6.1 6.1) due to the requirement for user interaction [1].
Mitigation
The plugin has been closed as of November 3, 2025, due to this security issue and is no longer available for download. Users should remove the plugin immediately and migrate to an alternative solution [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Package: https://wordpress.org/plugins/sms4wp
- Range: <=1.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.