CVE-2023-6980: 
WordPress vulnerability analysis and mitigation

The WP SMS – Messaging & SMS Notification for WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 6.5. The vulnerability exists due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This vulnerability was discovered and reported in January 2024, affecting the WordPress plugin developed by VeronaLabs (NVD).

The vulnerability stems from inadequate security controls in the subscriber deletion functionality. Specifically, the 'delete' action on the wp-sms-subscribers page lacked proper nonce validation, which is essential for preventing CSRF attacks. The issue was assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

The vulnerability allows unauthenticated attackers to delete subscribers from the system by tricking administrators into performing specific actions, such as clicking on a malicious link. This could lead to unauthorized removal of subscribers from the SMS notification system, potentially disrupting communication channels (NVD).

The vulnerability has been patched in version 6.5.1 of the WP SMS plugin. The fix includes the implementation of proper nonce validation for the subscriber deletion functionality. Users are strongly advised to update to version 6.5.1 or later to protect against this vulnerability (GitHub Patch).