Gratis scannen
HIGHCVE-2025-3776CVSS 8.3

Verificatie SMS met TargetSMS <= 1.5 - Ongemachtigde Beperkte Remote Code Execution

Platform

wordpress

Component

verification-sms-targetsms

Opgelost in

1.5.1

AI Confidence: highNVDEPSS 0.7%Beoordeeld: mei 2026
Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2025-3776 is a Remote Code Execution (RCE) vulnerability affecting the Verification SMS with TargetSMS plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the affected WordPress site, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.5 and is due to a lack of validation within the 'targetvrajaxhandler' function. A patch is expected from the vendor.

WordPress

Detecteer deze CVE in je project

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen

Impact en Aanvalsscenarioswordt vertaald…

The impact of CVE-2025-3776 is significant due to the ease of exploitation and the potential for complete system takeover. An attacker can leverage this vulnerability to execute arbitrary PHP code on the WordPress server, allowing them to modify website content, steal sensitive data (user credentials, database information), install malware, or even gain full control of the server. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers. Successful exploitation could mirror the impact of other WordPress plugin vulnerabilities where attackers have leveraged RCE to deploy webshells and establish persistent access.

Uitbuitingscontextwordt vertaald…

CVE-2025-3776 was publicly disclosed on April 24, 2025. The vulnerability's ease of exploitation and the potential for complete system compromise suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.

Wie Loopt Risicowordt vertaald…

WordPress websites utilizing the Verification SMS with TargetSMS plugin, particularly those running older, unpatched versions (0.0.0 – 1.5), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Websites relying on this plugin for SMS verification services are also at increased risk of data breaches and service disruption.

Detectiestappenwordt vertaald…

• wordpress / composer / npm:

grep -r 'targetvr_ajax_handler' /var/www/html/wp-content/plugins/verification-sms-with-targetsms/

• wordpress / composer / npm:

wp plugin list | grep 'verification-sms-with-targetsms'

• wordpress / composer / npm:

curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=targetvr_ajax_handler

• generic web: Review WordPress access logs for requests to /wp-admin/admin-ajax.php?action=targetvrajaxhandler originating from unusual IP addresses.

Aanvalstijdlijn

  1. Disclosure

    disclosure

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

0.68% (71% percentiel)

CISA SSVC

Exploitatienone
Automatiseerbaaryes
Technische Impactpartial

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L8.3HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredNoneVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeChangedImpact buiten het getroffen onderdeelConfidentialityLowRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityLowRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Geen — geen authenticatie vereist om te exploiteren.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
Confidentiality
Laag — gedeeltelijke toegang tot enkele gegevens.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Laag — gedeeltelijke of intermitterende denial of service.

Getroffen Software

Componentverification-sms-targetsms
Leveranciercajka
Getroffen bereikOpgelost in
0 – 1.51.5.1

Zwakheidsclassificatie (CWE)

CWE-94

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd
  4. EPSS bijgewerkt
Geen patch — 395 dagen na openbaarmaking

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2025-3776 is to upgrade the Verification SMS with TargetSMS plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to block requests to the 'targetvrajaxhandler' endpoint. Additionally, review WordPress user roles and permissions to ensure that only authorized users have access to sensitive functions. Monitor WordPress access logs for suspicious activity, particularly requests originating from unknown IP addresses targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting to trigger the vulnerable function and verifying that it is properly validated.

Hoe te verhelpenwordt vertaald…

Actualice el plugin Verification SMS with TargetSMS a la última versión disponible para mitigar la vulnerabilidad de ejecución remota de código.  Verifique la fuente oficial del plugin en WordPress.org para obtener la actualización más reciente y siga las instrucciones de instalación proporcionadas.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2025-3776 — RCE in Verification SMS with TargetSMS?

CVE-2025-3776 is a Remote Code Execution vulnerability in the Verification SMS with TargetSMS WordPress plugin, allowing attackers to execute code on your server.

Am I affected by CVE-2025-3776 in Verification SMS with TargetSMS?

You are affected if your WordPress site uses the Verification SMS with TargetSMS plugin and is running version 0.0.0 through 1.5.

How do I fix CVE-2025-3776 in Verification SMS with TargetSMS?

Upgrade the Verification SMS with TargetSMS plugin to the latest available version as soon as a patch is released. Disable the plugin as a temporary workaround.

Is CVE-2025-3776 being actively exploited?

While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.

Where can I find the official Verification SMS with TargetSMS advisory for CVE-2025-3776?

Check the plugin developer's website or WordPress plugin repository for updates and security advisories related to CVE-2025-3776.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken