Impact
The vulnerability allows a subscriber to obtain higher privileges through the SMS Alert Order Notifications plugin. It is a weak access control flaw (CWE‑863) that can let a user execute actions reserved for administrators, such as configuring email settings or viewing sensitive order information, thereby compromising confidentiality, integrity, and availability of the WordPress site.
Affected Systems
Affected are WordPress installations that use Cozy Vision Technologies’ SMS Alert Order Notifications plugin version 3.9.4 or older. Any site running this plugin without upgrading is susceptible.
Risk and Exploitability
The CVSS score of 9.8 signals severe risk, while the EPSS score is not available, making it difficult to gauge current exploitation prevalence. It is not listed in CISA KEV, indicating that known exploit code may not yet be widespread. The likely attack vector requires an authenticated subscriber account; based on the description, the attacker can use the plugin’s order notification features to elevate privileges through bypassing standard role checks.
OpenCVE Enrichment