A high-severity Missing Authorization vulnerability has been identified in the clicksend SMS Contact Form 7 Notifications plugin. This flaw could allow a remote attacker to bypass security controls and gain unauthorized access to sensitive functions, potentially leading to data exposure, unauthorized use of SMS services, and disruption of business communications. Immediate patching is required to mitigate the significant risk to the organization.

The vulnerability exists due to a lack of proper authorization checks on critical functions within the "clicksend SMS Contact Form 7 Notifications" plugin. An unauthenticated or low-privileged attacker can craft a specific request to access administrative endpoints of the plugin. This allows the attacker to view, modify, or delete SMS notification configurations, access contact form submission data that may contain personally identifiable information (PII), and potentially use the configured ClickSend account to send unauthorized SMS messages.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to significant negative business consequences. Unauthorized access to contact form data could result in a data breach, violating privacy regulations and causing severe reputational damage. An attacker could incur financial costs by abusing the organization's SMS account to send spam or phishing messages. Furthermore, the ability to alter or disable notification settings could disrupt critical business processes that rely on timely SMS alerts.

Immediate Action: Apply the security patches released by the vendor across all affected systems without delay. After patching, review the plugin's configuration and the ClickSend account for any signs of unauthorized changes or activity that may have occurred prior to remediation.

Proactive Monitoring: Review web server access logs for suspicious POST or GET requests to the plugin's administrative URLs, particularly from unauthenticated users or unexpected IP addresses. Monitor the ClickSend account audit logs for any messages sent that do not correlate with legitimate business activity. Set up alerts for any changes made to the plugin's configuration files or database settings.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use a Web Application Firewall (WAF) to create virtual patching rules that block access to the vulnerable plugin functions.
• Restrict access to the website's administrative dashboard (e.g., wp-admin) to only trusted IP addresses.
• Temporarily disable the plugin if its functionality is not critical to business operations until a patch can be safely deployed.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the direct risk to sensitive data and company resources, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied security update. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. The current absence of public exploits provides a critical window of opportunity to patch systems and prevent potential exploitation.