CVE-2023-6980

Name of the Vulnerable Software and Affected Versions WP SMS – Messaging & SMS Notification for WordPress versions up to, and including, 6.5

Description The issue is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page, making it possible for unauthenticated attackers to delete subscribers via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action, such as clicking on a link.

Recommendations For versions up to, and including, 6.5, update to a version higher than 6.5 to resolve the issue. As a temporary workaround, consider restricting access to the wp-sms-subscribers page to minimize the risk of exploitation. Additionally, be cautious when clicking on links from untrusted sources to avoid unintentionally performing actions that could lead to subscriber deletion.