CVE-2023-6981

Name of the Vulnerable Software and Affected Versions WP SMS – Messaging & SMS Notification for WordPress versions up to, and including, 6.5

Description The issue allows authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries via the group id parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This can be leveraged to extract sensitive information from the database and achieve Reflected Cross-site Scripting.

Recommendations For versions up to, and including, 6.5, consider disabling the group id parameter until a patch is available to prevent SQL Injection attacks. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with contributor-level access and above.