WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce < 7.2.2 – Authenticated (Subscriber+) Information Exposure | CVE 2026-40790 | Plugin Vulnerabilities

Description

The WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Fixed in 7.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7274e11-dcd4-471b-bfaf-ae90d0e4d7e6

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Jakub Herman

Verified

No

WPVDB ID

8fcc745f-58d2-4298-b7aa-2dc6c338046f

Timeline

Publicly Published

2026-04-23 (about 20 days ago)

Added

2026-04-30 (about 13 days ago)

Last Updated

2026-04-30 (about 13 days ago)

Other

Published

Title

Published

2025-11-20

Title

BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure

Published

2025-09-26

Title

The Tribal < 1.3.4 - Unauthenticated Sensitive Information Exposure

Published

2024-01-10

Title

Profile Builder Pro < 3.10.1 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

Published

2025-03-28

Title

DAP to Autoresponders Email Syncing <= 1.0 - Unauthenticated Information Exposure

Published

2024-07-26

Title

Admin Trim Interface <= 3.5.1 - Unauthenticated Full Path Disclosure