Privilege Escalation in WooCommerce Plugin by WordPress
CVE-2025-3876

8.8HIGH

Key Information:

Vendor

WordPress
Status
Sms Alert Order Notifications – WooCommerce
Vendor
CVE Published:
10 May 2025

What is CVE-2025-3876?

The SMS Alert Order Notifications – WooCommerce plugin for WordPress exhibits a vulnerability where insufficient user OTP validation occurs during the handleWpLoginCreateUserAction() process. This flaw allows authenticated attackers with a Subscriber-level account or higher to exploit the system, impersonating any user by merely providing their username or email. Consequently, attackers can escalate their privileges and gain administrative access, which poses a severe risk to the integrity and security of the affected WordPress environments.

Affected Version(s)

SMS Alert Order Notifications – WooCommerce * <= 3.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/sms-alert/tags...
https://plugins.trac.wordpress.org/browser/sms-alert/tags...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.
CVE-2025-3876 : Privilege Escalation in WooCommerce Plugin by WordPress