CVE-2025-3776 HIGH

CVE-2025-3776: Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution

Vendor Cajka
Product Verification SMS with TargetSMS
Weakness CWE-94 · Code injection
Published April 24, 2025
Last update April 8, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().

Explanation of Vulnerability in Simple Terms

02Summary

Verification SMS with TargetSMS versions 1.5 and earlier contain a code injection vulnerability that allows unauthenticated attackers to inject and execute arbitrary code on the site. No user interaction is required. The vulnerability affects confidentiality, integrity, and availability of the affected system and potentially other connected systems.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site without authentication.

Potential impact on your site

04Site Impact

An attacker can execute malicious code, potentially compromising the entire site and connected systems.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable application; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 24, 2025 CVE published
April 8, 2026 Record updated