Description
Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0.
Published: 2026-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control (Unauthorized Access)
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from a missing authorization check in the Cozy Vision WordPress SMS Alert Order Notifications plugin. As a result, an attacker can gain unintended access to order notification data or control notification settings. The weakness is a classic access control flaw (CWE‑862), potentially allowing the disclosure or tampering of sensitive order information and the unauthorized sending of alerts, thereby affecting confidentiality and integrity of e‑commerce operations.

Affected Systems

All versions of the Cozy Vision SMS Alert Order Notifications plugin up to and including 3.9.0 are affected, regardless of specific minor releases. The issue is tied to the plugin’s SMS Alert Order Notifications component and does not extend beyond it as identified in the vendor advisory.

Risk and Exploitability

The vulnerability is scored CVSS 5.4, indicating a moderate severity. The EPSS score is below 1%, suggesting that real‑world exploitation is currently unlikely. It is not listed in the CISA KEV catalog. Exploitation probably requires remote access to a WordPress site where the plugin is installed; an attacker may need a valid user session or exploit misconfigured site permissions to trigger the missing authorization check.

Generated by OpenCVE AI on March 17, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SMS Alert Order Notifications to a version newer than 3.9.0.
  • If an immediate update is not possible, deactivate or remove the plugin until a patch is available.
  • Inspect the site’s user roles and permissions to ensure that only authorized staff can access order notification settings.
  • Monitor the plugin’s update channel and vendor communications for future patches.

Generated by OpenCVE AI on March 17, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
Wordpress
Wordpress wordpress
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0.
Title WordPress SMS Alert Order Notifications plugin <= 3.9.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Cozyvision Sms Alert Order Notifications
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:02.459Z

Reserved: 2026-03-12T11:10:59.412Z

Link: CVE-2026-32373

cve-icon Vulnrichment

Updated: 2026-03-16T15:03:40.451Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:51.810

Modified: 2026-03-16T16:16:14.650

Link: CVE-2026-32373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:05:13Z

Weaknesses