HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11387Published Modified CNA Wordfence

CVE-2026-11387: SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass leading to privilege escalation affects the SMS Alert plugin for WordPress (versions up to and including 3.9.5). A remote attacker with no credentials can reset any account's password, including administrator accounts, by exploiting missing identity validation in the OTP-based password reset flow. Successful exploitation gives the attacker full control over the targeted WordPress account, enabling complete site takeover. No upstream fix has been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11387 is available across all HarborGuard environments: the CVE is ingested from upstream feeds, including the Wordfence feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering custom-built WordPress images that bundle this plugin.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and surfaces it at the top of the findings queue; per-environment compliance policy weighting is applied so it routes to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment cozyvision1 publishes a remediated release. In the interim, the finding remains open and escalated in each affected environment until the upstream patch lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP or HTTPS.

  • AuthenticationNot required

    No account or credentials are needed; the flaw is exercisable by a completely unauthenticated attacker.

  • Victim interactionNot required

    The attacker does not need the target user to click anything or take any action; the password reset request is issued entirely by the attacker.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: no race conditions or special memory layout are required, though the site must have OTP verification for password resets enabled and the target account must have a phone number configured.

Blast Radius

  • Attacker resets an administrator's password and gains full WordPress admin access, including the ability to install arbitrary plugins or themes.
  • Attacker reads, modifies, or deletes any content, user data, or WooCommerce order records stored in the database via the admin panel.
  • Attacker exfiltrates stored customer PII and payment-related order details accessible through the WooCommerce back-end.
  • Attacker deploys malicious code (via plugin or theme upload) to the WordPress instance, enabling persistent server-side execution.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as CRITICAL with no patch yet available, so the priority action is containment rather than remediation. HarborGuard will re-evaluate the advisory on every ingest cycle and queue a patched-image rebuild automatically once cozyvision1 ships a fix. While no fix exists, recommended compensating controls include applying a Web Application Firewall rule to block unauthenticated requests to the password-reset and OTP verification endpoints, disabling the OTP-based password reset feature in the plugin settings if operationally feasible, and using network policy to restrict public access to wp-admin paths where possible. For customers who opt into auto-remediation, the rebuild plus regression-test run and a PR against affected workloads will be initiated within the standard SLA window once a fix version is published upstream.

See how HarborGuard automates this
Affected packages
  • cozyvision1 / SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
    ≤ 3.9.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H