WordPress Plugin Vulnerabilities

SMS OVH <= 0.1 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the position parameter found in the ~/sms-ovh-sent.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
sms-ovh
No known fix

References

CVE
CVE-2021-38357
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38357

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
98dfb20d-e2b8-42d4-818c-9bf9e326f6db

Timeline

Publicly Published
2021-09-09 (about 4 years ago)
Added
2021-09-10 (about 4 years ago)
Last Updated
2023-02-01 (about 3 years ago)

Other

Published
Title
Published
2025-05-19
Title
Sitewide Discount for WooCommerce: Apply Discount to All Products < 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-22
Title
ARforms < 6.4.1 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
ShrimpTest 1.0b2 - plugins/plugin-notification.php Unspecified XSS
Published
2024-03-13
Title
WPFunnels < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-07-16
Title
Youtube Vimeo Video Player and Slider < 3.9 - Reflected Cross-Site Scripting