CVE-2026-54802: WordPress SMS Alert Order Notifications plugin <= 3.9.3 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken authentication vulnerability in the SMS Alert Order Notifications WordPress plugin by Cozy Vision Technologies Pvt. Ltd., affecting all versions up to and including 3.9.3. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker read access to sensitive data protected by the authentication layer the plugin fails to enforce. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing, sending findings to the appropriate team inbox within the customer org.
AvailableNo fix version has been published by the vendor. HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host.
- AuthenticationNot required
No credentials or session token of any kind are required; the attack works against anonymous HTTP requests.
- Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; exploitation is fully attacker-driven.
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup.
Blast Radius
- A successful attacker reads data that the broken authentication mechanism was meant to protect, which in an order notification context may include customer phone numbers, order details, and SMS API credentials stored by the plugin.
- No integrity impact is indicated by the CVSS vector, so write access to the database or plugin configuration is not directly enabled by this vulnerability alone.
- No availability impact is indicated, meaning the service itself is not crashed or disrupted by this exploit.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored against every image in connected customer registries that includes the SMS Alert Order Notifications plugin at an affected version. Because no vendor patch exists yet, HarborGuard re-evaluates the advisory on each ingest cycle. When an upstream fix is published, a patched-image rebuild becomes available immediately. For customers who opt into auto-remediation, the pipeline will execute a rebuild, run regression tests, and open a PR against affected workloads without requiring manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict external HTTP access to the WordPress admin and plugin endpoints, egress filtering to limit where the plugin can send outbound SMS API calls, and auditing stored plugin settings for exposed API keys or credentials that may have been read by an unauthorized party.
- Cozy Vision Technologies Pvt. Ltd. / SMS Alert Order Notifications≤ 3.9.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N