CVE-2026-22352

Vulnerability

Overview

An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in the Persian Woocommerce SMS plugin for WordPress, affecting versions from n/a through 7.1.1 [1]. The root cause is that the plugin fails to properly sanitize user-supplied input before rendering it in web pages, enabling an attacker to inject arbitrary HTML or JavaScript code [1].

Exploitation

Prerequisites

This reflected XSS vulnerability can be exploited without requiring authentication, but successful exploitation depends on user interaction [1]. A privileged user (such as an administrator) must perform an action like clicking a malicious link, visiting a specially crafted page, or submitting a form [1]. The attack does not require any special network position and can be delivered via typical web vectors such as crafted URLs [1].

Impact

If exploited, an attacker can inject malicious scripts into the vulnerable page, leading to actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing sensitive information when a victim visits the site [1]. This type of vulnerability is moderately dangerous and is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their popularity [1].

Mitigation

The vendor has not yet released an official patch, but Patchstack has provided a mitigation rule that blocks attacks until an update is available and safely applied [1]. The recommended immediate action is to update the plugin to a patched version once released; if updating is not possible, users should consult their hosting provider or web developer for assistance [1].