{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-11387/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-01T10:32:03.955Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-11387","@id":"https://www.cve.org/CVERecord?id=CVE-2026-11387","description":"The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary us"},"products":[{"@id":"cpe:2.3:a:cozyvision1:sms_alert_–_sms_\\&_otp_for_woocommerce\\,_order_notifications_\\&_abandoned_cart_recovery:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:cozyvision1:sms_alert_–_sms_\\&_otp_for_woocommerce\\,_order_notifications_\\&_abandoned_cart_recovery:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-07-01T10:32:03.955Z"}]}