CVE-2026-11387: SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authentication bypass leading to privilege escalation affects the SMS Alert plugin for WordPress (versions up to and including 3.9.5). A remote attacker with no credentials can reset any account's password, including administrator accounts, by exploiting missing identity validation in the OTP-based password reset flow. Successful exploitation gives the attacker full control over the targeted WordPress account, enabling complete site takeover. No upstream fix has been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment one becomes available.
HarborGuard Coverage
Detection capability for CVE-2026-11387 is available across all HarborGuard environments: the CVE is ingested from upstream feeds, including the Wordfence feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering custom-built WordPress images that bundle this plugin.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and surfaces it at the top of the findings queue; per-environment compliance policy weighting is applied so it routes to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment cozyvision1 publishes a remediated release. In the interim, the finding remains open and escalated in each affected environment until the upstream patch lands.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP or HTTPS.
- AuthenticationNot required
No account or credentials are needed; the flaw is exercisable by a completely unauthenticated attacker.
- Victim interactionNot required
The attacker does not need the target user to click anything or take any action; the password reset request is issued entirely by the attacker.
- Attack complexityDetail
Exploit conditions are straightforward and reliable: no race conditions or special memory layout are required, though the site must have OTP verification for password resets enabled and the target account must have a phone number configured.
Blast Radius
- Attacker resets an administrator's password and gains full WordPress admin access, including the ability to install arbitrary plugins or themes.
- Attacker reads, modifies, or deletes any content, user data, or WooCommerce order records stored in the database via the admin panel.
- Attacker exfiltrates stored customer PII and payment-related order details accessible through the WooCommerce back-end.
- Attacker deploys malicious code (via plugin or theme upload) to the WordPress instance, enabling persistent server-side execution.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged as CRITICAL with no patch yet available, so the priority action is containment rather than remediation. HarborGuard will re-evaluate the advisory on every ingest cycle and queue a patched-image rebuild automatically once cozyvision1 ships a fix. While no fix exists, recommended compensating controls include applying a Web Application Firewall rule to block unauthenticated requests to the password-reset and OTP verification endpoints, disabling the OTP-based password reset feature in the plugin settings if operationally feasible, and using network policy to restrict public access to wp-admin paths where possible. For customers who opt into auto-remediation, the rebuild plus regression-test run and a PR against affected workloads will be initiated within the standard SLA window once a fix version is published upstream.
- cozyvision1 / SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery≤ 3.9.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H