Remote Code Execution Vulnerability in Verification SMS Plugin for WordPress
CVE-2025-3776
Key Information:
- Vendor
- WordPress
- Vendor
- CVE Published:
- 24 April 2025
Badges
What is CVE-2025-3776?
CVE-2025-3776 is a vulnerability found in the Verification SMS Plugin for WordPress, specifically in versions up to and including 1.5. This plugin is designed to add a two-factor authentication layer to WordPress sites by sending verification codes via SMS. The identified weakness lies within the 'targetvr_ajax_handler' function, which allows unauthenticated attackers to perform Remote Code Execution due to insufficient validation on the types of functions that can be invoked. If exploited, this vulnerability could enable attackers to execute arbitrary PHP functions on the affected site, posing a significant threat to the integrity and security of the organization’s web presence.
Technical Details
The vulnerability is characterized by a failure to properly validate function calls within the Verification SMS Plugin. This oversight allows attackers to call any function that can be accessed through the plugin’s AJAX interface. With the potential to run functions such as phpinfo()
, attackers can gain insights into the server's configuration, which may assist them in further exploits or malicious activities. As a critical vector for Remote Code Execution, the flaw highlights a substantial security gap in the plugin's architecture, necessitating immediate attention from users of the affected software.
Potential impact of CVE-2025-3776
-
Unauthorized Access: Attackers can exploit this vulnerability to execute arbitrary PHP functions without authentication, potentially granting them unauthorized access to sensitive data and system information.
-
System Compromise: The ability to run commands on the server could lead to full system compromise, allowing attackers to deploy malware, manipulate files, or escalate their privileges within the organization's environment.
-
Reputation Damage: Successful exploitation of this vulnerability could lead to data breaches or service disruptions, resulting in significant reputational harm to organizations. This could erode customer trust and lead to financial losses, particularly for those relying on WordPress as a business platform.
Affected Version(s)
Verification SMS with TargetSMS * <= 1.5
News Articles

CVE-2025-3776: Remote Code Execution Vulnerability in WordPress TargetSMS Plugin - Cybersecurity Exploit Tracker by Ameeba
Overview The world of cybersecurity is an ever-evolving landscape, with new threats constantly emerging. One such threat that has recently been identified and categorized under the Common Vulnerabilities and Exposures (CVE) system is CVE-2025-3776. This vulnerability affects the WordPress plugin, Ve...
4 days ago
References
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 👾
Exploit known to exist
- 📰
First article discovered by ameeba.com
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved