WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

Vulnerabilities 22Slug wp-smsLatest version 7.2.4WordPress.org →

Minimum safe version

7.2.2

Update to 7.2.2 or later to address 22 fixable vulnerabilities

Latest available7.2.4 ✓

N/A

2026-04-23< 7.2.2

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce <= 7.2.1 - Authenticated (Subscriber+) Information Exposure

Wordfence CVE

High 7.6

2026-02-26< 7.0

CVE-2026-28136

CVE Wordfence

Medium 5.9

2026-02-19< 7.1.1

CVE-2026-25343

CVE Wordfence

Medium 5.4

2025-10-22< 7.0.2

CVE-2025-62006

CVE Patchstack Wordfence

Critical 9.8

2024-08-22< 6.9.4

CVE-2024-43331

CVE Patchstack Wordfence

Medium 4.8

2024-05-13< 6.5.2

CVE-2024-34811

CVE Patchstack Wordfence

N/A

< 6.5.2

WP SMS < 6.5.2 - Contributor+ Stored Cross-Site Scripting

WPScan

Medium 4.3

2024-03-29< 6.6.3

CVE-2024-30454

CVE Wordfence Patchstack WPScan

Medium 6.5

2024-03-27< 6.4

CVE-2024-25920

CVE Wordfence Patchstack WPScan

High 7.1

2024-02-08< 6.5.3

CVE-2024-24881

CVE Wordfence Patchstack WPScan

N/A

2024-01-15< 6.5.2

WordPress WP SMS Plugin <= 6.5.1 is vulnerable to Cross Site Scripting (XSS)

Patchstack

N/A

2024-01-12< 6.5.2

WP SMS <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Wordfence

Medium 4.9

2024-01-03< 6.5.1

CVE-2023-6981

CVE Patchstack Wordfence WPScan

Medium 4.3

2024-01-03< 6.5.1

CVE-2023-6980

CVE Patchstack Wordfence WPScan

N/A

< 6.2.0

WP SMS < 6.2.0 - User Unsubscribe via CSRF

WPScan

N/A

< 5.4.9.1

WP SMS < 5.4.9.1 - Reflected Cross-Site Scripting (XSS)

WPScan

N/A

2023-07-07< 6.2.0

WP SMS <= 6.1.5 - Cross-Site Request Forgery

Wordfence

High 7.1

2023-08-30< 6.1.5

CVE-2023-32742

CVE Patchstack Wordfence WPScan

Medium 5.3

2023-12-28< 6.2.0

CVE-2023-27447

CVE Wordfence Patchstack WPScan

N/A

2021-06-30< 5.4.9.1

WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc <= 5.4.9 - Reflected Cross-Site Scripting

Wordfence

N/A

2021-06-30< 5.4.9.1

WordPress WP SMS plugin <= 5.4.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Patchstack

Medium 5.4

2023-03-02< 5.4.13

WordPress WP SMS Plugin < 5.4.13 is vulnerable to Cross Site Scripting (XSS)

Patchstack CVE Wordfence WPScan