Privilege Escalation in WooCommerce Plugin by WordPress
CVE-2025-3876
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 May 2025
What is CVE-2025-3876?
The SMS Alert Order Notifications – WooCommerce plugin for WordPress exhibits a vulnerability where insufficient user OTP validation occurs during the handleWpLoginCreateUserAction() process. This flaw allows authenticated attackers with a Subscriber-level account or higher to exploit the system, impersonating any user by merely providing their username or email. Consequently, attackers can escalate their privileges and gain administrative access, which poses a severe risk to the integrity and security of the affected WordPress environments.
Affected Version(s)
SMS Alert Order Notifications – WooCommerce * <= 3.8.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
wesley