CVE-2026-11387

cozyvision1 · SMS Alert – SMS & OTP for WooCommerce

The SMS Alert plugin for WordPress contains an account takeover vulnerability allowing unauthenticated attackers to reset administrator passwords via OTP verification bypass.

Executive summary

An unauthenticated privilege escalation vulnerability in the SMS Alert plugin for WooCommerce allows attackers to hijack administrative accounts and gain full system control.

Vulnerability

The plugin fails to properly validate user identity during the password reset process. This allows an unauthenticated attacker to change the email address associated with an administrative account and subsequently trigger a password reset to gain full control.

Business impact

With a CVSS score of 9.8, this vulnerability represents an extreme risk to e-commerce platforms using this plugin. Successful exploitation grants an attacker administrative privileges, enabling them to manipulate store orders, steal customer data, and potentially install malicious code on the web server, leading to catastrophic reputational and financial damage.

Remediation

Immediate Action: Update the cozyvision1 SMS Alert plugin to the latest version immediately to resolve the identity validation flaw.

Proactive Monitoring: Review user account modification logs for unauthorized email address changes or suspicious password reset requests.

Compensating Controls: Temporarily disable OTP-based password reset functionality if an update cannot be applied immediately to mitigate the attack vector.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is critical for any WordPress site utilizing the affected SMS Alert plugin. Administrators should apply the security patch immediately and audit all user accounts for suspicious modifications to ensure that no unauthorized administrative accounts have been created or compromised.