CVE-2023-6980 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP SMS – Messaging & SMS Notification plugin for WordPress and its integrations with WooCommerce, GravityForms, and similar platforms. This vulnerability affects all versions up to and including version 6.5 of the plugin. The root cause is the absence or improper implementation of nonce validation on the 'delete' action within the wp-sms-subscribers page. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and to prevent unauthorized actions. Without proper nonce validation, an attacker can craft a malicious request that, if executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can delete subscribers from the SMS notification list without the administrator's explicit consent. This vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator, making it a UI:R (User Interaction Required) vulnerability. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The impact is limited to integrity, as the attacker can delete subscriber data but cannot directly affect confidentiality or availability of the system. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability is categorized under CWE-352, which is a common web security weakness related to CSRF attacks.

For European organizations using WordPress sites with the WP SMS plugin, this vulnerability poses a risk to the integrity of subscriber data managed through the plugin. Deletion of subscribers could disrupt communication workflows, especially for businesses relying on SMS notifications for customer engagement, order confirmations, or marketing campaigns. While the vulnerability does not directly compromise sensitive data confidentiality or system availability, the loss of subscriber information can lead to operational disruptions and potential reputational damage. Organizations in sectors such as e-commerce, retail, and service industries that use WooCommerce and GravityForms integrations are particularly at risk. Additionally, if attackers combine this vulnerability with social engineering tactics targeting site administrators, the risk of successful exploitation increases. Given the medium severity and the requirement for user interaction, the threat is moderate but should not be underestimated, especially for high-traffic or customer-facing websites.

To mitigate this vulnerability, organizations should first verify if they are using the affected versions of the WP SMS plugin and plan to update to a patched version once available. In the absence of an official patch, temporary mitigations include implementing additional CSRF protections at the web application firewall (WAF) level, such as blocking suspicious POST requests to the wp-sms-subscribers delete action endpoint. Administrators should be trained to avoid clicking on suspicious links or performing actions from untrusted sources while logged into the WordPress admin panel. Restricting administrative access through IP whitelisting or VPNs can reduce exposure. Additionally, monitoring and logging administrative actions related to subscriber management can help detect unauthorized deletions. Developers or site maintainers can also consider adding custom nonce validation or CSRF tokens to the affected action if feasible. Regular backups of subscriber data should be maintained to enable recovery in case of data loss.