What the vulnerability does
01Description
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
Explanation of Vulnerability in Simple Terms
02Summary
The SMS Alert plugin for WooCommerce contains an authentication bypass vulnerability affecting versions up to 3.7.9. An attacker can exploit this flaw to gain unauthorized access to the plugin's functionality without providing valid credentials. This allows complete compromise of the plugin's features, including SMS sending and order notification systems. All users should update immediately.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain full control of the plugin's SMS and notification features without valid credentials.
Potential impact on your site
04Site Impact
Attackers can send unauthorized SMS messages, intercept order notifications, and manipulate abandoned cart recovery campaigns.
Conditions required to exploit
05Prerequisites
Network access only; no authentication, user interaction, or special configuration required.
Key dates
06Disclosure timeline
April 1, 2025
CVE published
April 8, 2026
Record updated