PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-50960 Wordpress CVE debrief

CVE-2022-50960 covers a reflected cross-site scripting issue in the WordPress plugin International Sms For Contact Form 7 Integration version 1.2. The supplied description says attacker-controlled input in the page parameter of class-sms-log-display.php can be used to execute arbitrary JavaScript in an administrator’s browser.

Vendor
Wordpress
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

WordPress site owners and administrators running International Sms For Contact Form 7 Integration, especially environments where the plugin’s admin settings pages are accessible to privileged users. Security teams should also care because the issue can execute script in an admin context and may affect account actions or session integrity.

Technical summary

The supplied NVD record classifies the issue as CWE-79 and describes it as a reflected XSS condition reachable through the page parameter in the plugin’s admin settings interface. The provided CVSS vector indicates network attackability with user interaction required and no attacker privileges needed. In practice, this means a crafted link or request could cause attacker-supplied JavaScript to run in the browser of an administrator who loads the affected page.

Defensive priority

Medium priority. Remediate promptly if the plugin is installed and actively used, because the vulnerability targets administrator browsers and can affect privileged sessions or actions.

Recommended defensive actions

  • Confirm whether WordPress International Sms For Contact Form 7 Integration is installed, and verify the deployed version.
  • Remove or disable the plugin if it is not required.
  • Apply an upstream fix or update if a patched version is available from the plugin author or official plugin page.
  • Restrict access to WordPress administrator accounts and keep admin MFA, least privilege, and strong session protections enabled.
  • Review logs and security tooling for suspicious requests to the plugin’s admin settings interface.
  • Validate that any custom code or patches properly encode untrusted output on the affected page.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and its listed references. The record identifies CWE-79 and includes references to the official WordPress plugin page, an Exploit-DB entry, and a VulnCheck advisory. No fixed version, exploitation campaign, or KEV data was provided in the source corpus.

Official resources

Publicly recorded in the CVE/NVD dataset on 2026-05-10. No KEV listing or ransomware linkage was supplied in the provided corpus.