What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12.
CVE-2026-28136
HIGH
CVE-2026-28136: WordPress WP SMS plugin <= 6.9.12 - SQL Injection vulnerability
CVSS base score
7.6/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Explanation of Vulnerability in Simple Terms
02Summary
WP SMS versions 6.9.12 and earlier contain a SQL injection vulnerability accessible to high-privilege users. An attacker with admin or equivalent access can inject malicious SQL commands through the plugin, potentially reading sensitive database information. The vulnerability affects the database layer and may impact site availability.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site database or degrade site performance.
Potential impact on your site
04Site Impact
A compromised admin account could expose user data, email addresses, or other database records.
Conditions required to exploit
05Prerequisites
Attacker must have high-level admin or equivalent privileges on the WordPress site.
Key dates
06Disclosure timeline
February 26, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-7469 Campcodes Sales and Inventory System product_add.php sql injection
CVE-2024-51626 WordPress Woocommerce Quote Calculator plugin <= 1.1 - SQL Injection vulnerability
CVE-2022-3118 Sourcecodehero ERP System Project processlogin.php sql injection
CVE-2025-8252 code-projects Exam Form Submission delete_s5.php sql injection
CVE-2022-0785 Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
