Privilege Escalation Vulnerability in WooCommerce SMS Alert Plugin
CVE-2024-13553

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Sms Alert Order Notifications – WooCommerce
Vendor
CVE Published:
1 April 2025

What is CVE-2024-13553?

The SMS Alert Order Notifications plugin for WooCommerce is susceptible to a privilege escalation issue due to improper handling of the Host header, allowing unauthenticated attackers to simulate the header and authenticate as any user, including administrators. This vulnerability exposes users to potential account takeovers, putting sensitive data and site integrity at risk. All versions up to and including 3.7.9 are affected by this flaw, necessitating immediate updates to secure affected installations.

Affected Version(s)

SMS Alert Order Notifications – WooCommerce * <= 3.7.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucio Sá
.