Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
Monthly
Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.
Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.