CVE-2026-28136
SQL Injection in VeronaLabs WP SMS Plugin
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| veronalabs | wp_sms | to 6.9.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28136 is a SQL Injection vulnerability found in the WordPress WP SMS Plugin versions up to and including 6.9.12.'}, {'type': 'paragraph', 'content': "This vulnerability allows a malicious actor with administrator privileges to directly interact with the plugin's database, potentially leading to unauthorized data access or theft."}, {'type': 'paragraph', 'content': 'It is classified under the OWASP Top 10 category A3: Injection and has a CVSS severity score of 7.6, indicating a moderate level of risk.'}, {'type': 'paragraph', 'content': 'The flaw was reported in May 2025 and patched in version 7.0 of the WP SMS Plugin.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "If exploited, this vulnerability can allow an attacker with administrator privileges to access or steal data from the plugin's database."}, {'type': 'paragraph', 'content': 'This could lead to unauthorized disclosure of sensitive information stored or managed by the WP SMS plugin.'}, {'type': 'paragraph', 'content': 'However, exploitation requires the attacker to already have administrator-level access, which limits the scope of impact.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This SQL Injection vulnerability in the WP SMS Plugin requires administrator privileges to exploit and involves direct interaction with the plugin's database."}, {'type': 'paragraph', 'content': 'Detection can focus on identifying unusual or unauthorized database queries related to the WP SMS plugin, especially those that might indicate SQL Injection attempts.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include monitoring database logs for suspicious queries and scanning the WordPress installation for the plugin version.'}, {'type': 'list_item', 'content': 'Check the installed WP SMS plugin version to see if it is <= 6.9.12, which is vulnerable.'}, {'type': 'list_item', 'content': 'Review database logs for unexpected or malformed SQL queries targeting the WP SMS plugin tables.'}, {'type': 'list_item', 'content': 'Use WordPress CLI commands to list plugin versions, e.g., `wp plugin list`.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WP SMS Plugin to version 7.0 or later, where the vulnerability is patched.
Since the vulnerability requires administrator privileges to exploit, limiting administrator access and monitoring for suspicious activity can reduce risk.
- Update the WP SMS Plugin to version 7.0 or newer immediately.
- Restrict administrator privileges to trusted users only.
- Use automated update tools like Patchstack to facilitate rapid patching of vulnerable plugins.