Skip to main content

SMS Alert Order Notifications CVE-2025-26984

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

8
Severity Changed
Jun 26, 2026 - 17:22 NVD
HIGH MEDIUM
CVSS changed
Jun 26, 2026 - 17:22 NVD
7.1 (HIGH) 6.1 (MEDIUM)
Analysis Updated
Apr 25, 2026 - 00:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
MEDIUM 6.1

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications - WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications - WooCommerce: from n/a through 3.7.8.

AnalysisAI

Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability carries a CVSS score of 7.1 due to changed scope (cross-domain consequences), though exploitation requires user interaction. EPSS probability is low (0.08%, 25th percentile), indicating limited observed exploitation activity. No CISA KEV listing confirms active widespread exploitation, though Patchstack's vulnerability database disclosure suggests the flaw may be targeted in WordPress-specific attack campaigns.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the SMS Alert Order Notifications plugin for WooCommerce/WordPress (CPE: cpe:2.3:a:cozyvision:sms_alert_order_notifications). The plugin fails to properly sanitize user-supplied input before reflecting it in HTTP responses, allowing attackers to inject malicious JavaScript payloads. As a reflected XSS vulnerability, the attack vector is network-based but requires social engineering - the malicious payload must be delivered via crafted URL parameters that victims are induced to access. The CVSS vector indicates changed scope (S:C), meaning successful exploitation can affect resources beyond the vulnerable component's security scope, potentially compromising user sessions across WordPress domains or integrated WooCommerce storefronts.

RemediationAI

WordPress administrators should immediately upgrade the SMS Alert Order Notifications plugin to version 3.7.9 or later if available, verifying the fix through the WordPress plugin repository or Cozy Vision's official channels. As no explicit patch version is confirmed in the provided references, site owners should monitor Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/ for updated remediation guidance and contact Cozy Vision directly for patch status confirmation. As a compensating control until patching, implement Content Security Policy (CSP) headers with strict 'script-src' directives to mitigate XSS payload execution, though this may break legitimate plugin functionality requiring inline scripts. Additionally, deploy Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters targeting the vulnerable plugin endpoints, noting this provides detection rather than true remediation and may generate false positives on legitimate special characters in order notifications. For high-risk environments, temporarily disable the plugin if SMS notification functionality is non-critical to business operations, accepting the trade-off of lost order notification capabilities against XSS exposure.

CVE-2021-24588 MEDIUM POC
6.1 Sep 06

The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit

CVE-2024-13553 CRITICAL
9.8 Apr 01

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t

CVE-2026-54803 CRITICAL
9.8 Jun 17

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4

CVE-2025-3876 HIGH
8.8 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff

CVE-2025-26988 HIGH
7.5 Mar 03

SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and

CVE-2026-54802 HIGH
7.5 Jun 17

Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti

CVE-2025-3878 MEDIUM
6.4 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-32373 MEDIUM
5.4 Mar 13

Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat

CVE-2024-10233 MEDIUM
5.4 Oct 29

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2024-1489 MEDIUM
4.3 Mar 13

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

CVE-2024-11725 HIGH
8.8 Jan 07

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data

Share

CVE-2025-26984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy