Skip to main content

SMS Alert CVE-2026-11387

| EUVDEUVD-2026-40922 CRITICAL
Improper Authentication (CWE-287)
2026-07-01 Wordfence GHSA-ggpj-jphc-wmc4
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote and unauthenticated (AV:N/PR:N/UI:N) but AC:H because exploitation depends on the non-default OTP-password-reset config and the target having an OTP phone set; full account takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 08:31 vuln.today
CVE Published
Jul 01, 2026 - 07:53 nvd
CRITICAL 9.8

DescriptionCVE.org

The SMS Alert - SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

AnalysisAI

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with OTP password reset enabled
Delivery
Send crafted unauthenticated reset request
Exploit
Change admin account email address
Execution
Trigger password reset to attacker email
Impact
Set new password and log in as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires the site to have the plugin's OTP verification for password resets feature explicitly enabled, and the targeted account (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8) presents this as trivially exploitable and unauthenticated, and the impact - full administrator takeover - is genuinely severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or guesses an administrator's WordPress username sends a crafted unauthenticated request to the plugin's OTP password-reset handler, changing the administrator's account email to one the attacker controls. The attacker then initiates a standard password reset, receives the reset link at the attacker-controlled email, sets a new password, and logs in with full administrator privileges. …
Remediation Upgrade the SMS Alert plugin to the first release published after 3.9.5 (the WordPress.org changeset 3587983 for the sms-alert repository contains the fix; a released patched version number is not independently confirmed from the provided data, so verify the latest available version on the plugin page before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable the SMS Alert plugin immediately and audit all active administrator accounts for unauthorized email changes or password resets. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy