🔐 CVE Alert

CVE-2025-3876

HIGH 8.8

SMS Alert Order Notifications – WooCommerce <= 3.8.1 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.

CWE CWE-862
Vendor cozyvision1
Product sms alert – sms & otp for woocommerce, order notifications & abandoned cart recovery
Published May 10, 2025
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for cozyvision1 sms alert – sms & otp for woocommerce, order notifications & abandoned cart recovery

Be the first to know when new high vulnerabilities affecting cozyvision1 sms alert – sms & otp for woocommerce, order notifications & abandoned cart recovery are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

cozyvision1 / SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
0 ≤ 3.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf65f79-d386-4dd4-a360-b2f764dfaf19?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.8.0/handler/forms/class-wplogin.php#L447 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.8.0/handler/forms/class-wplogin.php#L145 wordpress.org: https://wordpress.org/plugins/sms-alert/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3290478/

Credits

wesley