CVE-2026-40790

Vulnerability

The WP SMS plugin for WordPress, in versions 7.2.1 and earlier, suffers from a sensitive data exposure vulnerability [1]. This flaw allows unauthorized access to subscriber information that should be restricted. The affected software is the WP SMS plugin installed on WordPress sites, and the vulnerability exists regardless of site popularity or traffic level [1].

Exploitation

An attacker does not need prior authentication on the WordPress site to trigger the data exposure [1]. The attack requires network access to the site and can be performed remotely without user interaction. Once the vulnerability is exploited, the attacker can view sensitive data that is normally hidden from regular users [1]. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites simultaneously [1].

Impact

Successful exploitation leads to exposure of subscriber-sensitive information, which could include personal data (such as phone numbers or email addresses) stored by the plugin [1]. This data exposure may serve as a stepping stone for further attacks against the system or its users. The CVSS v3 score of 6.5 (Medium) reflects the potential for information disclosure but limited direct impact on system integrity or availability [1].

Mitigation

The vendor has released version 7.2.2 of the WP SMS plugin, which resolves the vulnerability [1]. Users are advised to update to version 7.2.2 or later immediately [1]. For those unable to update, a mitigation rule is available from Patchstack to block attacks until the patch is applied [1]. Auto-update can be enabled to ensure future vulnerabilities are patched promptly [1].