CVE-2022-50960
Deferred Deferred - Pending Action

Reflected XSS in WordPress International SMS for Contact Form 7 Integration

Vulnerability report for CVE-2022-50960, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-10

Last updated on: 2026-05-26

Assigner: VulnCheck

Description

WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-10
Last Modified
2026-05-26
Generated
2026-07-11
AI Q&A
2026-05-10
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wordpress international_sms_for_contact_form_7_integration 1.2
varun_sridharan international_sms_for_contact_form_7_integration to 1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is a reflected cross-site scripting (XSS) flaw found in version 1.2 of the WordPress International Sms For Contact Form 7 Integration plugin.

It occurs in the 'page' parameter of the admin settings interface, specifically in the file class-sms-log-display.php.

Attackers can inject malicious scripts through this parameter, which then execute arbitrary JavaScript in the browsers of administrators who access the affected page.

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of administrators.

Such execution can lead to unauthorized actions performed with administrator privileges, including stealing sensitive information, hijacking sessions, or modifying site settings.

Because the attack targets administrators, it can compromise the security and integrity of the entire WordPress site.

Detection Guidance

The vulnerability exists in the 'page' parameter of the admin settings interface in the file class-sms-log-display.php of the WordPress International Sms For Contact Form 7 Integration plugin version 1.2.

To detect this vulnerability, you can monitor HTTP requests to the WordPress admin interface for suspicious or unexpected script injections in the 'page' parameter.

For example, you can use web server logs or network traffic analysis tools to search for requests containing suspicious JavaScript code in the 'page' parameter.

  • Use grep or similar tools on web server logs to find requests with the 'page' parameter containing script tags or suspicious payloads, e.g.:
  • grep -i 'page=.*<script' /var/log/apache2/access.log
  • Use a web vulnerability scanner that supports detection of reflected XSS vulnerabilities targeting the admin interface of WordPress plugins.
  • Manually test the 'page' parameter by injecting benign script payloads in a controlled environment to see if they are reflected and executed.
Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable WordPress International Sms For Contact Form 7 Integration plugin version 1.2 from your WordPress installation.

Since the plugin was removed from the WordPress Plugin Directory due to this security issue and is no longer maintained, it is recommended to uninstall it completely.

Additionally, restrict access to the WordPress admin interface to trusted users only and consider implementing web application firewall (WAF) rules to block malicious requests targeting the 'page' parameter.

Ensure that all administrators are aware of the risk and avoid clicking on suspicious links that could exploit this reflected XSS vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart