Privilege Escalation in SMS Alert Plugin for WooCommerce
CVE-2026-11387

9.8CRITICAL

What is CVE-2026-11387?

The SMS Alert – SMS & OTP for WooCommerce plugin is susceptible to a privilege escalation vulnerability that enables unauthenticated attackers to perform account takeover. This issue arises because the plugin fails to adequately validate user identity before allowing changes to user account details, such as email addresses and passwords. Attackers can exploit this weakness on sites with OTP verification enabled, particularly if the administrator or user has linked a phone number for verification. By altering a user’s email address, attackers can initiate a password reset process to gain unauthorized access, including to administrator accounts. Sites using affected versions up to 3.9.5 are strongly advised to apply necessary security measures and updates.

Affected Version(s)

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery 0 <= 3.9.5

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland
PRISM
.