Privilege Escalation in SMS Alert Plugin for WooCommerce
CVE-2026-11387
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-11387?
The SMS Alert – SMS & OTP for WooCommerce plugin is susceptible to a privilege escalation vulnerability that enables unauthenticated attackers to perform account takeover. This issue arises because the plugin fails to adequately validate user identity before allowing changes to user account details, such as email addresses and passwords. Attackers can exploit this weakness on sites with OTP verification enabled, particularly if the administrator or user has linked a phone number for verification. By altering a user’s email address, attackers can initiate a password reset process to gain unauthorized access, including to administrator accounts. Sites using affected versions up to 3.9.5 are strongly advised to apply necessary security measures and updates.
Affected Version(s)
SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery 0 <= 3.9.5