Skip to main content

SMS Alert Order Notifications CVE-2026-54802

| EUVDEUVD-2026-37638 HIGH
Missing Authorization (CWE-862)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Plugin endpoint is reachable over the network with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); broken authorization exposes restricted data only, so C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:54 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.

AnalysisAI

Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenticated attackers to access functionality or data that should be restricted to authenticated users. The flaw, reported by Patchstack and tracked under CWE-862 (Missing Authorization), carries a CVSS 7.5 with high confidentiality impact only. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with SMS Alert plugin
Delivery
Send crafted unauthenticated HTTP request
Exploit
Bypass missing authorization check
Execution
Invoke privileged plugin endpoint
Impact
Exfiltrate restricted data

Vulnerability AssessmentAI

Exploitation Target must be running WordPress with the SMS Alert Order Notifications plugin (by Cozy Vision Technologies) installed and active at version 3.9.3 or earlier, and the vulnerable plugin endpoint must be reachable over the network (typical default for any internet-facing WordPress install). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N describes a network-reachable, low-complexity, unauthenticated, no-user-interaction issue with high confidentiality impact and no integrity or availability impact, consistent with information disclosure via a broken authorization check rather than full account takeover or RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WordPress/WooCommerce site running SMS Alert Order Notifications <= 3.9.3, then issues unauthenticated HTTP requests directly to the plugin's vulnerable AJAX or REST endpoint to retrieve data or trigger functionality that should require an authenticated administrator session. Because the flaw is network-reachable, low-complexity, and requires no user interaction, the request can be sent by an automated scanner against any reachable site at scale.
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade SMS Alert Order Notifications to the latest release published after 3.9.3 by Cozy Vision Technologies once available on the WordPress plugin repository, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-3-broken-authentication-vulnerability for the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using SMS Alert Order Notifications ≤3.9.3 and immediately disable the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-24588 MEDIUM POC
6.1 Sep 06

The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit

CVE-2024-13553 CRITICAL
9.8 Apr 01

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t

CVE-2026-54803 CRITICAL
9.8 Jun 17

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4

CVE-2025-3876 HIGH
8.8 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff

CVE-2025-26988 HIGH
7.5 Mar 03

SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and

CVE-2025-3878 MEDIUM
6.4 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2025-26984 MEDIUM
6.1 Mar 03

Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables

CVE-2026-32373 MEDIUM
5.4 Mar 13

Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat

CVE-2024-10233 MEDIUM
5.4 Oct 29

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2024-1489 MEDIUM
4.3 Mar 13

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

CVE-2024-11725 HIGH
8.8 Jan 07

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data

Share

CVE-2026-54802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy