The vulnerability is a missing authorization flaw that allows a user to exploit incorrectly configured access control settings within the Cozy Vision SMS Alert Order Notifications plugin. Because the plugin does not properly verify the privileges of a requester before allowing configuration changes, an attacker can gain unauthorized access to sensitive settings. This flaw is classified as CWE-862 and can lead to the compromise of the plugin’s configuration, potentially enabling additional malicious activity such as spamming or the manipulation of order notifications.

The flaw affects the WordPress plugin SMS Alert Order Notifications, distributed by Cozy Vision. All versions from the earliest available build up to and including 3.8.8 are impacted. The plugin is used on WordPress sites, but no specific WordPress core version is listed as a requirement.

The vulnerability has a CVSS score of 5.3, indicating moderate severity. Its EPSS score is less than 1%, meaning actual exploitation likelihood is very low, and it is not listed in the Cybersecurity and Infrastructure Security Agency’s KEV catalog. Attacks would likely target the plugin’s administrative interface, requiring authenticated access to reach the sensitive settings page; however, the missing authorization check removes the usual privilege barrier, so an attacker with any level of access that bypasses the normal WordPress role checks could exploit the flaw. While the risk is not high, the potential for unauthorized configuration changes warrants timely remediation.