CVE-2021-38357: 
WordPress vulnerability analysis and mitigation

The SMS OVH WordPress plugin (versions up to and including 0.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38357. The vulnerability was discovered and reported by researcher p7e4, with the initial public disclosure occurring on September 9, 2021. The security issue affects the plugin's sent message functionality, specifically within the sms-ovh-sent.php file (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the position parameter found in the ~/sms-ovh-sent.php file, which allows attackers to inject arbitrary web scripts. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows attackers to inject arbitrary web scripts through the position parameter, potentially leading to the execution of malicious JavaScript code in users' browsers. This could result in theft of sensitive information, session hijacking, or other client-side attacks when users interact with the compromised plugin functionality (WPScan).

As of the latest available information, there is no known fix for this vulnerability. Users of the SMS OVH WordPress plugin version 0.1 or earlier should consider removing or disabling the plugin until a security patch is available (WPScan).