Impact
The SMS Alert – SMS & OTP for WooCommerce plugin allows an attacker who does not need to be logged in to change any user’s email address and then reset that user’s password. The plugin does not validate that the requester owns the account before allowing these actions, which effectively gives the attacker full control over the target account. An attacker who gains control of an administrator account can then compromise the entire WordPress installation.
Affected Systems
WordPress sites that run CozyVision1’s SMS Alert plugin version 3.9.5 or earlier and that have OTP verification for password resets enabled, with administrators or other users having a phone number configured for OTP. The flaw is present in all affected plugin releases, regardless of other security settings.
Risk and Exploitability
The issue has a CVSS score of 9.8 indicating critical severity. Although there is no EPSS score available, the lack of authentication requirements means that the vulnerability can be exercised remotely over the web using standard form submissions. The vulnerability is not yet listed in the CISA KEV catalog, but the high severity and the ability to compromise administrator accounts make it a priority target. Attackers can trigger the flaw by sending crafted requests to the plugin’s email change and password reset endpoints, exploiting the missing identity validation to take over arbitrary user accounts.
OpenCVE Enrichment