Description
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
Published: 2026-07-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SMS Alert – SMS & OTP for WooCommerce plugin allows an attacker who does not need to be logged in to change any user’s email address and then reset that user’s password. The plugin does not validate that the requester owns the account before allowing these actions, which effectively gives the attacker full control over the target account. An attacker who gains control of an administrator account can then compromise the entire WordPress installation.

Affected Systems

WordPress sites that run CozyVision1’s SMS Alert plugin version 3.9.5 or earlier and that have OTP verification for password resets enabled, with administrators or other users having a phone number configured for OTP. The flaw is present in all affected plugin releases, regardless of other security settings.

Risk and Exploitability

The issue has a CVSS score of 9.8 indicating critical severity. Although there is no EPSS score available, the lack of authentication requirements means that the vulnerability can be exercised remotely over the web using standard form submissions. The vulnerability is not yet listed in the CISA KEV catalog, but the high severity and the ability to compromise administrator accounts make it a priority target. Attackers can trigger the flaw by sending crafted requests to the plugin’s email change and password reset endpoints, exploiting the missing identity validation to take over arbitrary user accounts.

Generated by OpenCVE AI on July 1, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SMS Alert plugin to a version newer than 3.9.5 where this vulnerability has been fixed.
  • If an update cannot be performed immediately, disable OTP password reset functionality or prevent users from having phone numbers for OTP, as the flaw requires OTP verification to be active.
  • Continuously monitor site logs for suspicious email change or password reset attempts and block offending IP addresses.

Generated by OpenCVE AI on July 1, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
Title SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:03.955Z

Reserved: 2026-06-05T15:14:38.745Z

Link: CVE-2026-11387

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:31.699Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses