CVE-2025-3776

HIGH

WordPress TargetSMS <= 1.5 - Unauthenticated Callable Function Execution

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-3776. PoCs published by Nxploited, Boshe99.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-3776, targeting a Remote Code Execution (RCE) vulnerability in the 'Verification SMS with TargetSMS' WordPress plugin <= 1.5. The exploit leverages an unsafe use of `call_user_func()` on user-controlled input, allowing unauthenticated attackers to execute arbitrary commands if a malicious function is pre-loaded into memory.

Description

The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().

Exploits (2)

nomisec WORKING POC 7 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-3776

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-3776, targeting a Remote Code Execution (RCE) vulnerability in the 'Verification SMS with TargetSMS' WordPress plugin <= 1.5. The exploit leverages an unsafe use of `call_user_func()` on user-controlled input, allowing unauthenticated attackers to execute arbitrary commands if a malicious function is pre-loaded into memory.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Verification SMS with TargetSMS WordPress Plugin <= 1.5

No auth needed

Prerequisites: A callable function (e.g., `evil()`) must be pre-loaded into the WordPress environment, typically via theme file modification or another vulnerability.

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-3776

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-3776, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the exploit by uploading a shell to a vulnerable endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: target URL · shell file path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/verification-sms-targetsms/trunk/inc/ajax.php#L9

Product

https://plugins.trac.wordpress.org/browser/verification-sms-targetsms/trunk/inc/ajax.php#L7

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ed08d248-7467-4a3b-91a2-4286d91b9c50?source=cve

Scores

CVSS v3 8.3

EPSS 0.0074

EPSS Percentile 49.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (1)

cajka/Verification SMS with TargetSMS < 1.5

Published Apr 24, 2025

Tracked Since Feb 18, 2026