CVE-2024-13553 CRITICAL

CVE-2024-13553: SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation

Vendor Cozyvision1
Product SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
Weakness CWE-288
Published April 1, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.

Explanation of Vulnerability in Simple Terms

02Summary

The SMS Alert plugin for WooCommerce contains an authentication bypass vulnerability affecting versions up to 3.7.9. An attacker can exploit this flaw to gain unauthorized access to the plugin's functionality without providing valid credentials. This allows complete compromise of the plugin's features, including SMS sending and order notification systems. All users should update immediately.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain full control of the plugin's SMS and notification features without valid credentials.

Potential impact on your site

04Site Impact

Attackers can send unauthorized SMS messages, intercept order notifications, and manipulate abandoned cart recovery campaigns.

Conditions required to exploit

05Prerequisites

Network access only; no authentication, user interaction, or special configuration required.

Key dates

06Disclosure timeline

April 1, 2025 CVE published
April 8, 2026 Record updated