CVE-2025-3776

Name of the Vulnerable Software and Affected Versions Verification SMS with TargetSMS plugin for WordPress versions up to, and including, 1.5

Description The issue is related to limited Remote Code Execution in the Verification SMS with TargetSMS plugin for WordPress. This vulnerability is due to a lack of validation on the type of function that can be called via the targetvr ajax handler function. As a result, unauthenticated attackers can execute any callable function on the site, such as phpinfo().

Recommendations For versions up to, and including, 1.5, consider disabling the targetvr ajax handler function until a patch is available to prevent exploitation. Restrict access to the admin-ajax.php endpoint to minimize the risk of exploitation. Avoid using the vulnerable plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.