Description
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
Published: 2025-05-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the SMS Alert Order Notifications plugin lies in insufficient OTP validation within the handleWpLoginCreateUserAction function. It allows an authenticated user with Subscriber-level access or higher to supply any username or email and impersonate that account. By doing so, the attacker can elevate their own privileges to match the target account, effectively gaining administrator rights. This weakness is a clear case of improper authorization (CWE-862).

Affected Systems

The affected product is the SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin from CozyVision, version 3.8.1 and all earlier releases. The flaw exists in the code base managed under the "sms-alert" plugin folder for WordPress. Users running any version up to and including 3.8.1 are impacted; newer releases are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score is less than 1%, indicating a low probability of exploitation at the moment. The vulnerability is not yet listed in the CISA KEV catalog. The exploit requires that an attacker first authenticate as a Subscriber or higher role; from that point the attacker can supply a target username or email and trigger the handleWpLoginCreateUserAction function to perform the privilege escalation. The attack vector is inferred to be via legitimate authenticated access within the WordPress administrative interface or through any authenticated backend calls that invoke the function.

Generated by OpenCVE AI on April 22, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SMS Alert Order Notifications plugin to the latest release above 3.8.1
  • If an upgrade cannot be performed immediately, temporarily disable the plugin to block exploitation
  • Restrict permissions of all Subscriber-level accounts until the patch is applied
  • Monitor authentication and admin activity logs for any signs of impersonation attempts

Generated by OpenCVE AI on April 22, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14224 The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
History

Wed, 21 May 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
CPEs cpe:2.3:a:cozyvision:sms_alert_order_notifications:*:*:*:*:free:wordpress:*:*
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications

Mon, 12 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 10 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
Title SMS Alert Order Notifications – WooCommerce <= 3.8.1 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cozyvision Sms Alert Order Notifications
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:32.082Z

Reserved: 2025-04-22T16:44:57.296Z

Link: CVE-2025-3876

cve-icon Vulnrichment

Updated: 2025-05-12T13:19:56.760Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-10T12:15:35.670

Modified: 2025-05-21T13:35:09.450

Link: CVE-2025-3876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses