Attack Vectors

CVE-2026-25343 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 4.4) affecting the WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce WordPress plugin (slug: wp-sms) in versions <= 7.1.

The attack requires an authenticated user with administrator-level access or higher to inject malicious script content that is saved (“stored”) and can execute later when another user loads the affected admin page or site page.

This issue is specifically relevant in multi-site installations and in environments where unfiltered_html has been disabled (a common hardening/compliance setting). In practical terms, the risk increases when multiple admins exist (internal teams, agencies, contractors) or when admin credentials could be compromised via phishing, password reuse, or malware on a user’s device.

Security Weakness

The root cause is insufficient input sanitization and output escaping in the plugin’s handling of certain saved fields. This allows attacker-supplied content to be stored in WordPress and later rendered in a way that the browser interprets as executable code.

Because this is a stored XSS, the injected code can persist until it is identified and removed, meaning it can trigger repeatedly for different users and sessions. Even with the higher privilege requirement noted in the CVSS vector (PR:H), this weakness still matters for organizations that must assume a realistic “compromised admin” scenario.

Reference: CVE-2026-25343. Source advisory: Wordfence vulnerability record.

Technical or Business Impacts

While this vulnerability requires administrator-level access, it can still create meaningful business risk because stored scripts can execute in other users’ browsers and potentially affect higher-privileged accounts (particularly in multi-site environments where roles and access boundaries are more complex).

Potential impacts include:

• Account takeover amplification: A compromised admin account could plant scripts that help capture session details or trick other admins into actions, increasing the blast radius.
• Unauthorized changes: Malicious scripts can be used to alter settings, create new users, or modify content in ways that harm brand integrity and operational stability.
• Data exposure and compliance concerns: Depending on what pages are affected and who accesses them, there may be risk of leaking sensitive information visible in the browser (e.g., operational data, customer-related admin views), creating governance and audit issues.
• Brand and revenue impact: For WooCommerce sites, disruptions to storefront operations, customer trust, and campaign landing pages can translate into lost sales and reputational damage.

Remediation: Update WSMS (formerly WP SMS) to version 7.1.1 or newer (patched). As a policy control, review and limit administrator access (including agency accounts), enforce strong authentication, and monitor for unexpected admin-side content changes—especially on multi-site deployments.

Similar Attacks

Stored and client-side script injection issues are a common path to broader compromise and data loss. A few real-world examples that illustrate the business impact of injected scripts include:

• British Airways (2018): Attackers injected malicious JavaScript to skim payment data, resulting in significant regulatory and reputational consequences. See: British Airways 2018 data breach summary.
• Ticketmaster (2018): A third-party script was implicated in payment card data theft, highlighting how browser-executed code can create direct financial and trust impacts. See: Ticketmaster 2018 data breach summary.
• WordPress Core Stored XSS (CVE-2019-8942): A WordPress core vulnerability that demonstrates how stored XSS issues can affect widely used web platforms. See: CVE-2019-8942.