Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote and unauthenticated (AV:N/PR:N/UI:N) but AC:H because exploitation depends on the non-default OTP-password-reset config and the target having an OTP phone set; full account takeover yields C:H/I:H/A:H.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The SMS Alert - SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
Articles & Coverage 2
AnalysisAI
Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the site to have the plugin's OTP verification for password resets feature explicitly enabled, and the targeted account (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8) presents this as trivially exploitable and unauthenticated, and the impact - full administrator takeover - is genuinely severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows or guesses an administrator's WordPress username sends a crafted unauthenticated request to the plugin's OTP password-reset handler, changing the administrator's account email to one the attacker controls. The attacker then initiates a standard password reset, receives the reset link at the attacker-controlled email, sets a new password, and logs in with full administrator privileges. … |
| Remediation | Upgrade the SMS Alert plugin to the first release published after 3.9.5 (the WordPress.org changeset 3587983 for the sms-alert repository contains the fix; a released patched version number is not independently confirmed from the provided data, so verify the latest available version on the plugin page before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disable the SMS Alert plugin immediately and audit all active administrator accounts for unauthorized email changes or password resets. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40922
GHSA-ggpj-jphc-wmc4