WP SMS for WordPress can be tricked into running malicious SQL commands

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.6

WP SMS for WordPress can be tricked into running malicious SQL commands

CVE-2026-28136

Summary

If an attacker knows how, they can use WP SMS for WordPress to execute unauthorized SQL commands, potentially accessing sensitive data or disrupting the site. This could happen if you're using a version of WP SMS that's affected. To stay safe, update to the latest version of WP SMS, version 6.9.13 or higher.

Original title

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6....

Original description

nvd CVSS3.1 7.6

Vulnerability type

CWE-89 SQL Injection

https://patchstack.com/database/Wordpress/Plugin/wp-sms/vulnerability/wordpress-...

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026