Skip to main content

SMS Alert Order Notifications EUVDEUVD-2026-37639

| CVE-2026-54803 CRITICAL
Incorrect Authorization (CWE-863)
2026-06-17 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Subscriber role is required to reach the vulnerable endpoint, so PR:L (not PR:N); network-reachable HTTP, no user interaction, and full admin takeover yields C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:53 vuln.today

DescriptionCVE.org

Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.

AnalysisAI

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4 and earlier allows low-privileged users - specifically Subscriber-level accounts - to elevate their permissions on the WordPress site. Patchstack catalogued this as an authorization/authentication-bypass class issue (CWE-863). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register Subscriber account via open signup
Delivery
Authenticate to WordPress
Exploit
Send crafted request to vulnerable plugin endpoint
Install
Bypass capability check (CWE-863)
C2
Escalate role to Administrator
Execute
Upload malicious plugin for RCE
Impact
Full site and order-data takeover

Vulnerability AssessmentAI

Exploitation The SMS Alert Order Notifications plugin (≤ 3.9.4) must be installed and activated on a WordPress site, and the attacker must be able to authenticate as a Subscriber-level user - which on sites with open user registration enabled (a common default for WooCommerce stores) is effectively unauthenticated, because anyone can self-register a Subscriber account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/Patchstack CVSS 3.1 vector is 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), but this conflicts with the advisory title 'Subscriber Privilege Escalation,' which by definition requires an authenticated Subscriber account - that would normally drive PR:L and a base score nearer 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a Subscriber account on a target WordPress site (or uses an existing one), then issues a crafted request to a vulnerable plugin endpoint that fails to verify capabilities, elevating their role to Administrator. From there the attacker installs a malicious plugin or theme to obtain code execution on the server, enabling full site takeover and pivot into WooCommerce order/PII data. …
Remediation Upgrade the SMS Alert Order Notifications plugin to any version released after 3.9.4 once the vendor publishes a fix; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-4-privilege-escalation-vulnerability) is the authoritative source for the patched version and should be monitored. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress installations for SMS Alert Order Notifications plugin versions 3.9.4 and earlier; immediately disable or remove the plugin from all affected sites; review WordPress security audit logs for evidence of unauthorized privilege escalations by Subscriber-level accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-24588 MEDIUM POC
6.1 Sep 06

The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit

CVE-2024-13553 CRITICAL
9.8 Apr 01

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t

CVE-2025-3876 HIGH
8.8 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff

CVE-2025-26988 HIGH
7.5 Mar 03

SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and

CVE-2026-54802 HIGH
7.5 Jun 17

Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti

CVE-2025-3878 MEDIUM
6.4 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2025-26984 MEDIUM
6.1 Mar 03

Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables

CVE-2026-32373 MEDIUM
5.4 Mar 13

Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat

CVE-2024-10233 MEDIUM
5.4 Oct 29

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2024-1489 MEDIUM
4.3 Mar 13

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

CVE-2024-11725 HIGH
8.8 Jan 07

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data

Share

EUVD-2026-37639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy