Back to overview

CVE-2026-11387

CRITICAL
9.8
CVSS 3.1
Description
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

Metadata

CVE ID
CVE-2026-11387
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-05 15:14 UTC
Published
2026-07-01 07:53 UTC
Last updated
2026-07-01 10:32 UTC
Primary CWE
CWE-287
CWE-287 Improper Authentication
Vendor / Product
cozyvision1 / SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
cozyvision1 SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery 0 ≤ 3.9.5
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287 Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview