CVE-2026-28136

Received Received - Intake

SQL Injection in VeronaLabs WP SMS Plugin

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-26

Last Modified

2026-02-26

Generated

2026-06-16

AI Q&A

2026-02-26

EPSS Evaluated

2026-06-14

NVD

CVE-2026-28136

EUVD

EUVD-2026-8846

Affected Vendors & Products

Vendor	Product	Version / Range
veronalabs	wp_sms	to 6.9.12 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28136 is a SQL Injection vulnerability found in the WordPress WP SMS Plugin versions up to and including 6.9.12.'}, {'type': 'paragraph', 'content': "This vulnerability allows a malicious actor with administrator privileges to directly interact with the plugin's database, potentially leading to unauthorized data access or theft."}, {'type': 'paragraph', 'content': 'It is classified under the OWASP Top 10 category A3: Injection and has a CVSS severity score of 7.6, indicating a moderate level of risk.'}, {'type': 'paragraph', 'content': 'The flaw was reported in May 2025 and patched in version 7.0 of the WP SMS Plugin.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "If exploited, this vulnerability can allow an attacker with administrator privileges to access or steal data from the plugin's database."}, {'type': 'paragraph', 'content': 'This could lead to unauthorized disclosure of sensitive information stored or managed by the WP SMS plugin.'}, {'type': 'paragraph', 'content': 'However, exploitation requires the attacker to already have administrator-level access, which limits the scope of impact.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This SQL Injection vulnerability in the WP SMS Plugin requires administrator privileges to exploit and involves direct interaction with the plugin's database."}, {'type': 'paragraph', 'content': 'Detection can focus on identifying unusual or unauthorized database queries related to the WP SMS plugin, especially those that might indicate SQL Injection attempts.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include monitoring database logs for suspicious queries and scanning the WordPress installation for the plugin version.'}, {'type': 'list_item', 'content': 'Check the installed WP SMS plugin version to see if it is <= 6.9.12, which is vulnerable.'}, {'type': 'list_item', 'content': 'Review database logs for unexpected or malformed SQL queries targeting the WP SMS plugin tables.'}, {'type': 'list_item', 'content': 'Use WordPress CLI commands to list plugin versions, e.g., `wp plugin list`.'}] [1]

Mitigation Strategies

The primary mitigation step is to update the WP SMS Plugin to version 7.0 or later, where the vulnerability is patched.

Since the vulnerability requires administrator privileges to exploit, limiting administrator access and monitoring for suspicious activity can reduce risk.

Update the WP SMS Plugin to version 7.0 or newer immediately.
Restrict administrator privileges to trusted users only.
Use automated update tools like Patchstack to facilitate rapid patching of vulnerable plugins.

Hi! I’m here to help you understand CVE-2026-28136. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-28136

SQL Injection in VeronaLabs WP SMS Plugin

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart