CVE-2026-40790 MEDIUM

CVE-2026-40790: WordPress WP SMS plugin <= 7.2.1 - Sensitive Data Exposure vulnerability

Vendor Veronalabs
Product WP SMS
Weakness CWE-288
Published June 15, 2026
Last update June 16, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.

Explanation of Vulnerability in Simple Terms

02Summary

WP SMS versions up to 7.2.1 contain an authentication bypass that allows low-privileged users to read sensitive data they should not access. The vulnerability requires a valid user account but no additional user interaction. An attacker with low-level site access can retrieve confidential information without authorization.

What an attacker can do

03Attacker Capabilities

Read sensitive data restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Confidential site data may be exposed to users with basic access (subscribers, contributors).

Conditions required to exploit

05Prerequisites

Valid low-privilege user account on the site; network access.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 16, 2026 Record updated

Related vulnerabilities

08Related CVE