How is CVE-2026-54803 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, meaning an attacker can send malicious requests from anywhere on the internet without needing a foothold on the host. Authentication (not-required): No credentials are needed to trigger the privilege escalation; the vulnerability can be reached by any unauthenticated remote party. Victim interaction (not-required): The attack is fully automated and does not require a logged-in user to click a link, visit a page, or perform any other action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race timing, specific memory layout, or environmental configuration.

What is the impact of CVE-2026-54803?

An attacker escalates an unprivileged or subscriber-level WordPress account to a higher role, gaining administrative control over site content, users, and settings. With elevated privileges, the attacker reads sensitive stored data including order details, customer records, and SMS notification credentials held by the plugin. The attacker modifies or deletes site content, installs malicious plugins or themes, and alters plugin configuration to intercept or redirect SMS alerts. The attacker disrupts service availability by removing critical configuration, deactivating plugins, or locking legitimate administrators out of the WordPress dashboard.

Back to search

CRITICALCVE-2026-54803Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54803: WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability

Q: What is CVE-2026-54803?

An authentication bypass leading to privilege escalation affects the SMS Alert Order Notifications WordPress plugin by Cozy Vision Technologies Pvt. Ltd., versions 3.9.4 and below. The vulnerability is reachable over the network with no authentication required and no user interaction needed, allowing any remote attacker to escalate a subscriber-level account to a higher privilege role. Successful exploitation gives the attacker full read, write, and availability impact on the affected WordPress installation. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available the moment a fix version is released.

Q: Is CVE-2026-54803 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. In the interim, compensating controls such as network-policy isolation for the affected workload are surfaced as recommended actions within the finding detail.

Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass leading to privilege escalation affects the SMS Alert Order Notifications WordPress plugin by Cozy Vision Technologies Pvt. Ltd., versions 3.9.4 and below. The vulnerability is reachable over the network with no authentication required and no user interaction needed, allowing any remote attacker to escalate a subscriber-level account to a higher privilege role. Successful exploitation gives the attacker full read, write, and availability impact on the affected WordPress installation. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-54803 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle this WordPress plugin. Any image carrying the SMS Alert Order Notifications plugin at version 3.9.4 or below is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.8 (Critical), with per-environment compliance policy weighting applied to prioritize routing inside each customer organization. Findings are routed to the appropriate team inbox based on the owning environment's defined escalation rules, ensuring high-severity results surface to the right reviewers without manual sorting.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. In the interim, compensating controls such as network-policy isolation for the affected workload are surfaced as recommended actions within the finding detail.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, meaning an attacker can send malicious requests from anywhere on the internet without needing a foothold on the host.
AuthenticationNot required
No credentials are needed to trigger the privilege escalation; the vulnerability can be reached by any unauthenticated remote party.
Victim interactionNot required
The attack is fully automated and does not require a logged-in user to click a link, visit a page, or perform any other action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race timing, specific memory layout, or environmental configuration.

Blast Radius

An attacker escalates an unprivileged or subscriber-level WordPress account to a higher role, gaining administrative control over site content, users, and settings.
With elevated privileges, the attacker reads sensitive stored data including order details, customer records, and SMS notification credentials held by the plugin.
The attacker modifies or deletes site content, installs malicious plugins or themes, and alters plugin configuration to intercept or redirect SMS alerts.
The attacker disrupts service availability by removing critical configuration, deactivating plugins, or locking legitimate administrators out of the WordPress dashboard.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-54803 is a critical-severity finding with no upstream fix currently available, so the remediation flow differs from a standard patch-and-rebuild path. HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically once Cozy Vision Technologies Pvt. Ltd. publishes a fixed version of the SMS Alert Order Notifications plugin. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that point. While no fix exists, HarborGuard surfaces compensating-control recommendations directly in the finding detail: consider applying Kubernetes network policies or WAF rules to restrict access to the affected WordPress endpoints, and evaluate whether the plugin can be disabled or feature-flag gated in non-production environments. Where compliance policy requires immediate action on Critical-severity unpatched findings, HarborGuard can route an escalation to the defined security inbox for manual review and containment planning.

See how HarborGuard automates this

Affected packages

Cozy Vision Technologies Pvt. Ltd. / SMS Alert Order Notifications
≤ 3.9.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified