CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.
Explanation of Vulnerability in Simple Terms
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin through version 4.3.8 lacks proper authorization checks on certain functions. An attacker without authentication can modify data or settings, though they cannot read sensitive information or disrupt service availability. Update to a version newer than 4.3.8 to resolve this issue.
What an attacker can do
Modify plugin settings or data without logging in.
Potential impact on your site
Attackers can alter OTP and SMS notification configurations, potentially disrupting authentication workflows.
Conditions required to exploit
Network access to the WooCommerce site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
