Description
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.
Published: 2026-01-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Immediate Patch
AI Analysis

Impact

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin lacks a capability check on the enable_wc_sms_notification AJAX action in all versions up to 4.3.8. This omission allows any unauthenticated user to trigger the action and enable or disable SMS notification settings for WooCommerce orders. The resulting privilege‑bypass can alter order communication behavior, potentially preventing customers from receiving order confirmations or allowing attackers to disable security notifications.

Affected Systems

The vulnerable component is the WordPress plugin "miniOrange OTP Verification and SMS Notification for WooCommerce" by cyberlord92. All releases with a version number of 4.3.8 or earlier are impacted. Site operators using these versions on WooCommerce‑based e‑commerce sites that rely on SMS notifications for order updates are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact, and the EPSS value of less than 1 % suggests a low probability of exploitation at this time. The weakness is classified as CWE‑862 (Missing Authorization). Exploitation requires only a crafted AJAX request to the vulnerable endpoint and does not require authenticated access, making the attack vector remote and straightforward for attackers who discover the endpoint.

Generated by OpenCVE AI on April 21, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the miniOrange OTP Verification and SMS Notification for WooCommerce plugin to any release newer than 4.3.8.
  • If an update is not feasible, remove or disable the enable_wc_sms_notification AJAX handler to block unauthenticated modification attempts.
  • Implement a custom capability check to ensure that only users with the "manage_woocommerce" capability (or equivalent) can invoke the notification change action, restoring proper authorization controls.

Generated by OpenCVE AI on April 21, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Miniorange
Miniorange otp Verification
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Miniorange
Miniorange otp Verification
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Mon, 12 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 07:15:00 +0000

Type Values Removed Values Added
Description The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.
Title miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Miniorange Otp Verification
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:56.682Z

Reserved: 2025-12-19T04:14:38.233Z

Link: CVE-2025-14948

cve-icon Vulnrichment

Updated: 2026-01-12T13:08:07.591Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T07:16:02.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses