Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Plugin endpoint is reachable over the network with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); broken authorization exposes restricted data only, so C:H with I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.
AnalysisAI
Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenticated attackers to access functionality or data that should be restricted to authenticated users. The flaw, reported by Patchstack and tracked under CWE-862 (Missing Authorization), carries a CVSS 7.5 with high confidentiality impact only. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target must be running WordPress with the SMS Alert Order Notifications plugin (by Cozy Vision Technologies) installed and active at version 3.9.3 or earlier, and the vulnerable plugin endpoint must be reachable over the network (typical default for any internet-facing WordPress install). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N describes a network-reachable, low-complexity, unauthenticated, no-user-interaction issue with high confidentiality impact and no integrity or availability impact, consistent with information disclosure via a broken authorization check rather than full account takeover or RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a WordPress/WooCommerce site running SMS Alert Order Notifications <= 3.9.3, then issues unauthenticated HTTP requests directly to the plugin's vulnerable AJAX or REST endpoint to retrieve data or trigger functionality that should require an authenticated administrator session. Because the flaw is network-reachable, low-complexity, and requires no user interaction, the request can be sent by an automated scanner against any reachable site at scale. |
| Remediation | Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade SMS Alert Order Notifications to the latest release published after 3.9.3 by Cozy Vision Technologies once available on the WordPress plugin repository, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-3-broken-authentication-vulnerability for the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using SMS Alert Order Notifications ≤3.9.3 and immediately disable the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t
Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff
SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables
Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37638