Skip to main content

CVE-2023-6980: CWE-352 Cross-Site Request Forgery (CSRF) in mostafas1990 WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc

Medium
VulnerabilityCVE-2023-6980cvecve-2023-6980cwe-352
Published: Wed Jan 03 2024 (01/03/2024, 05:31:18 UTC)
Source: CVE Database V5
Vendor/Project: mostafas1990
Product: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc

Description

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This makes it possible for unauthenticated attackers to delete subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AI-Powered Analysis

AILast updated: 07/07/2025, 18:58:33 UTC

Technical Analysis

CVE-2023-6980 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP SMS – Messaging & SMS Notification plugin for WordPress and its integrations with WooCommerce, GravityForms, and similar platforms. This vulnerability affects all versions up to and including version 6.5 of the plugin. The root cause is the absence or improper implementation of nonce validation on the 'delete' action within the wp-sms-subscribers page. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and to prevent unauthorized actions. Without proper nonce validation, an attacker can craft a malicious request that, if executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can delete subscribers from the SMS notification list without the administrator's explicit consent. This vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator, making it a UI:R (User Interaction Required) vulnerability. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The impact is limited to integrity, as the attacker can delete subscriber data but cannot directly affect confidentiality or availability of the system. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability is categorized under CWE-352, which is a common web security weakness related to CSRF attacks.

Potential Impact

For European organizations using WordPress sites with the WP SMS plugin, this vulnerability poses a risk to the integrity of subscriber data managed through the plugin. Deletion of subscribers could disrupt communication workflows, especially for businesses relying on SMS notifications for customer engagement, order confirmations, or marketing campaigns. While the vulnerability does not directly compromise sensitive data confidentiality or system availability, the loss of subscriber information can lead to operational disruptions and potential reputational damage. Organizations in sectors such as e-commerce, retail, and service industries that use WooCommerce and GravityForms integrations are particularly at risk. Additionally, if attackers combine this vulnerability with social engineering tactics targeting site administrators, the risk of successful exploitation increases. Given the medium severity and the requirement for user interaction, the threat is moderate but should not be underestimated, especially for high-traffic or customer-facing websites.

Mitigation Recommendations

To mitigate this vulnerability, organizations should first verify if they are using the affected versions of the WP SMS plugin and plan to update to a patched version once available. In the absence of an official patch, temporary mitigations include implementing additional CSRF protections at the web application firewall (WAF) level, such as blocking suspicious POST requests to the wp-sms-subscribers delete action endpoint. Administrators should be trained to avoid clicking on suspicious links or performing actions from untrusted sources while logged into the WordPress admin panel. Restricting administrative access through IP whitelisting or VPNs can reduce exposure. Additionally, monitoring and logging administrative actions related to subscriber management can help detect unauthorized deletions. Developers or site maintainers can also consider adding custom nonce validation or CSRF tokens to the affected action if feasible. Regular backups of subscriber data should be maintained to enable recovery in case of data loss.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2023-12-20T07:50:43.491Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842df031a426642debc9653

Added to database: 6/6/2025, 12:28:51 PM

Last enriched: 7/7/2025, 6:58:33 PM

Last updated: 8/12/2025, 3:08:05 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats