SMS Alert Order Notifications
CVE-2025-26984
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
8DescriptionNVD
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications - WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications - WooCommerce: from n/a through 3.7.8.
AnalysisAI
Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability carries a CVSS score of 7.1 due to changed scope (cross-domain consequences), though exploitation requires user interaction. EPSS probability is low (0.08%, 25th percentile), indicating limited observed exploitation activity. No CISA KEV listing confirms active widespread exploitation, though Patchstack's vulnerability database disclosure suggests the flaw may be targeted in WordPress-specific attack campaigns.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the SMS Alert Order Notifications plugin for WooCommerce/WordPress (CPE: cpe:2.3:a:cozyvision:sms_alert_order_notifications). The plugin fails to properly sanitize user-supplied input before reflecting it in HTTP responses, allowing attackers to inject malicious JavaScript payloads. As a reflected XSS vulnerability, the attack vector is network-based but requires social engineering - the malicious payload must be delivered via crafted URL parameters that victims are induced to access. The CVSS vector indicates changed scope (S:C), meaning successful exploitation can affect resources beyond the vulnerable component's security scope, potentially compromising user sessions across WordPress domains or integrated WooCommerce storefronts.
RemediationAI
WordPress administrators should immediately upgrade the SMS Alert Order Notifications plugin to version 3.7.9 or later if available, verifying the fix through the WordPress plugin repository or Cozy Vision's official channels. As no explicit patch version is confirmed in the provided references, site owners should monitor Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/ for updated remediation guidance and contact Cozy Vision directly for patch status confirmation. As a compensating control until patching, implement Content Security Policy (CSP) headers with strict 'script-src' directives to mitigate XSS payload execution, though this may break legitimate plugin functionality requiring inline scripts. Additionally, deploy Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters targeting the vulnerable plugin endpoints, noting this provides detection rather than true remediation and may generate false positives on legitimate special characters in order notifications. For high-risk environments, temporarily disable the plugin if SMS notification functionality is non-critical to business operations, accepting the trade-off of lost order notification capabilities against XSS exposure.
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t
Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff
SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and
Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today