CVE-2025-3776 is a code injection vulnerability classified under CWE-94, affecting the 'Verification SMS with TargetSMS' plugin for WordPress developed by cajka. This vulnerability exists in all versions up to and including 1.5 of the plugin. The root cause is improper validation in the 'targetvr_ajax_handler' function, which fails to restrict the types of callable functions that can be executed via AJAX requests. As a result, unauthenticated attackers can remotely invoke any callable PHP function on the affected WordPress site. This includes potentially sensitive functions such as phpinfo(), which can disclose detailed server configuration and environment information. Although the vulnerability is described as limited Remote Code Execution (RCE), the ability to execute arbitrary PHP functions without authentication poses a significant risk. The plugin is used to facilitate SMS verification, which may be integrated into user authentication or notification workflows, increasing the attack surface. No patches or fixes have been published at the time of this report, and no known exploits are currently observed in the wild. The vulnerability was reserved and published in April 2025, with enrichment from CISA, indicating recognition by authoritative cybersecurity bodies. The lack of input validation and unrestricted function calls make this a critical flaw that could be leveraged for further exploitation, including privilege escalation, data exfiltration, or site defacement, depending on the functions callable and the server environment.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on WordPress sites with the affected plugin installed. Exploitation could lead to unauthorized disclosure of sensitive information, such as configuration details, environment variables, or even database credentials if callable functions are abused. This compromises confidentiality and potentially integrity if attackers modify site content or user data. Availability could also be affected if attackers execute functions that disrupt normal operations or cause denial of service. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased risk of regulatory penalties and reputational damage. Additionally, since the plugin handles SMS verification, attackers might bypass or manipulate authentication workflows, undermining user trust and security. The unauthenticated nature of the exploit increases the threat level, as attackers do not require valid credentials or user interaction, enabling automated scanning and exploitation. The absence of known exploits in the wild currently limits immediate widespread impact but does not reduce the urgency for mitigation, as the vulnerability is publicly disclosed and could be weaponized rapidly.

Immediately audit WordPress installations to identify the presence of the 'Verification SMS with TargetSMS' plugin, especially versions up to 1.5. Disable or uninstall the plugin if it is not essential to business operations until a secure patch or update is available. If the plugin is critical, implement Web Application Firewall (WAF) rules to block or restrict access to the 'targetvr_ajax_handler' AJAX endpoint, limiting exposure to unauthenticated requests. Employ strict input validation and sanitization at the application level to restrict callable functions to a safe whitelist, if custom modifications are feasible. Monitor web server and application logs for unusual or suspicious AJAX requests targeting the vulnerable function, enabling early detection of exploitation attempts. Isolate WordPress environments with this plugin on segmented networks to reduce lateral movement risk in case of compromise. Engage with the plugin vendor or community to track the release of official patches and apply them promptly once available. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities and remote code execution vectors.