Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Subscriber role is required to reach the vulnerable endpoint, so PR:L (not PR:N); network-reachable HTTP, no user interaction, and full admin takeover yields C/I/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
AnalysisAI
Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4 and earlier allows low-privileged users - specifically Subscriber-level accounts - to elevate their permissions on the WordPress site. Patchstack catalogued this as an authorization/authentication-bypass class issue (CWE-863). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The SMS Alert Order Notifications plugin (≤ 3.9.4) must be installed and activated on a WordPress site, and the attacker must be able to authenticate as a Subscriber-level user - which on sites with open user registration enabled (a common default for WooCommerce stores) is effectively unauthenticated, because anyone can self-register a Subscriber account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/Patchstack CVSS 3.1 vector is 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), but this conflicts with the advisory title 'Subscriber Privilege Escalation,' which by definition requires an authenticated Subscriber account - that would normally drive PR:L and a base score nearer 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a Subscriber account on a target WordPress site (or uses an existing one), then issues a crafted request to a vulnerable plugin endpoint that fails to verify capabilities, elevating their role to Administrator. From there the attacker installs a malicious plugin or theme to obtain code execution on the server, enabling full site takeover and pivot into WooCommerce order/PII data. … |
| Remediation | Upgrade the SMS Alert Order Notifications plugin to any version released after 3.9.4 once the vendor publishes a fix; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-4-privilege-escalation-vulnerability) is the authoritative source for the patched version and should be monitored. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all WordPress installations for SMS Alert Order Notifications plugin versions 3.9.4 and earlier; immediately disable or remove the plugin from all affected sites; review WordPress security audit logs for evidence of unauthorized privilege escalations by Subscriber-level accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff
SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and
Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables
Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37639