CVE-2022-50960
Reflected XSS in WordPress International SMS for Contact Form 7 Integration
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | international_sms_for_contact_form_7_integration | 1.2 |
| varun_sridharan | international_sms_for_contact_form_7_integration | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a reflected cross-site scripting (XSS) flaw found in version 1.2 of the WordPress International Sms For Contact Form 7 Integration plugin.
It occurs in the 'page' parameter of the admin settings interface, specifically in the file class-sms-log-display.php.
Attackers can inject malicious scripts through this parameter, which then execute arbitrary JavaScript in the browsers of administrators who access the affected page.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of administrators.
Such execution can lead to unauthorized actions performed with administrator privileges, including stealing sensitive information, hijacking sessions, or modifying site settings.
Because the attack targets administrators, it can compromise the security and integrity of the entire WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability exists in the 'page' parameter of the admin settings interface in the file class-sms-log-display.php of the WordPress International Sms For Contact Form 7 Integration plugin version 1.2.
To detect this vulnerability, you can monitor HTTP requests to the WordPress admin interface for suspicious or unexpected script injections in the 'page' parameter.
For example, you can use web server logs or network traffic analysis tools to search for requests containing suspicious JavaScript code in the 'page' parameter.
- Use grep or similar tools on web server logs to find requests with the 'page' parameter containing script tags or suspicious payloads, e.g.:
- grep -i 'page=.*<script' /var/log/apache2/access.log
- Use a web vulnerability scanner that supports detection of reflected XSS vulnerabilities targeting the admin interface of WordPress plugins.
- Manually test the 'page' parameter by injecting benign script payloads in a controlled environment to see if they are reflected and executed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the vulnerable WordPress International Sms For Contact Form 7 Integration plugin version 1.2 from your WordPress installation.
Since the plugin was removed from the WordPress Plugin Directory due to this security issue and is no longer maintained, it is recommended to uninstall it completely.
Additionally, restrict access to the WordPress admin interface to trusted users only and consider implementing web application firewall (WAF) rules to block malicious requests targeting the 'page' parameter.
Ensure that all administrators are aware of the risk and avoid clicking on suspicious links that could exploit this reflected XSS vulnerability.