CVE-2024-56038

High

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0023 45.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catalinsendsms SendSMS sendsms allows Reflected XSS.This issue affects SendSMS: from n/a through <= 1.2.9.

Security Summary

CVE-2024-56038 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS), in the SendSMS WordPress plugin developed by catalinsendsms. The issue affects SendSMS versions from n/a through 1.2.9 and is associated with CWE-79.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. Exploitation changes the scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 score of 7.1. This enables execution of arbitrary scripts in the victim's browser context, potentially leading to session hijacking or data theft.

The Patchstack advisory provides details on this WordPress SendSMS plugin vulnerability, including assessment and recommended actions for mitigation.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/sendsms/vulnerability/wordpress-sendsms-plugin-1-2-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com