Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Reflected XSS.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vulnerability is a Reflected Cross‑Site Scripting flaw in the Cozy Vision SMS Alert Order Notifications WordPress plugin. The bug allows an attacker to craft a malicious URL that injects executable JavaScript into the page generated by the plugin. The injection can execute in the context of any user who follows the crafted link, enabling the attacker to steal cookies, hijack sessions, or perform other client‑side attacks against affected WordPress sites.

Affected Systems

Cozy Vision SMS Alert Order Notifications plugin for WordPress, versions up through and including 3.7.8. WordPress sites that have the plugin installed and configured to display order notifications are affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability. The EPSS score of less than 1% suggests few known or confirmed exploits. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to reach a page that displays the reflected input, typically by luring a user to visit a crafted URL or by embedding malicious content in a link sent via SMS or email. The plugin processes user data without proper sanitization, making the attack vector a simple web‑based request to the affected WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version (≥3.7.9) where input is properly sanitized.
  • If an upgrade is not immediately possible, remove or deactivate the SMS Alert Order Notifications plugin until a patch is applied.
  • Filter or encode all user‑supplied data before rendering in the WordPress front‑end to guard against XSS, following best practices for WordPress plugin security.

Generated by OpenCVE AI on May 1, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5626 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Reflected XSS.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
CPEs cpe:2.3:a:cozyvision:sms_alert_order_notifications:*:*:*:*:*:wordpress:*:*
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
Title WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.7.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Cozyvision Sms Alert Order Notifications
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.713Z

Reserved: 2025-02-17T11:51:47.719Z

Link: CVE-2025-26984

cve-icon Vulnrichment

Updated: 2025-03-03T14:46:31.094Z

cve-icon NVD

Status : Modified

Published: 2025-03-03T14:15:57.217

Modified: 2026-04-23T15:26:11.363

Link: CVE-2025-26984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses