Description
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a subscriber to obtain higher privileges through the SMS Alert Order Notifications plugin. It is a weak access control flaw (CWE‑863) that can let a user execute actions reserved for administrators, such as configuring email settings or viewing sensitive order information, thereby compromising confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Affected are WordPress installations that use Cozy Vision Technologies’ SMS Alert Order Notifications plugin version 3.9.4 or older. Any site running this plugin without upgrading is susceptible.

Risk and Exploitability

The CVSS score of 9.8 signals severe risk, while the EPSS score is not available, making it difficult to gauge current exploitation prevalence. It is not listed in CISA KEV, indicating that known exploit code may not yet be widespread. The likely attack vector requires an authenticated subscriber account; based on the description, the attacker can use the plugin’s order notification features to elevate privileges through bypassing standard role checks.

Generated by OpenCVE AI on June 18, 2026 at 12:03 UTC.

Remediation

Vendor Solution

Update the WordPress SMS Alert Order Notifications Plugin to the latest available version (at least 3.9.5).


OpenCVE Recommended Actions

  • Update the SMS Alert Order Notifications plugin to version 3.9.5 or later.
  • Disable or uninstall the plugin if it is not essential to site operations.
  • Review all user accounts for unauthorized role changes and reset privileges where necessary.

Generated by OpenCVE AI on June 18, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
Wordpress
Wordpress wordpress
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
Title WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Cozyvision Sms Alert Order Notifications
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:48:45.148Z

Reserved: 2026-06-16T09:21:34.477Z

Link: CVE-2026-54803

cve-icon Vulnrichment

Updated: 2026-06-17T14:48:30.877Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:38Z

Weaknesses