Security Alert Summary
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin is affected by a privilege escalation vulnerability that can lead to account takeover in all versions up to and including 3.9.5. An attacker can change a user’s email address without proper identity validation, then use the plugin’s OTP-enabled password reset flow to take over accounts, including administrator accounts, on sites where OTP verification for password resets is enabled and the targeted user has a phone number registered for OTP.
CVE Details
- CVE ID: CVE-2026-11387
- Affected component: SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery (plugin)
- Affected versions: All versions up to and including 3.9.5
- Published: July 1, 2026 at 8:16:20 AM UTC
- Last modified: July 1, 2026 at 1:56:17 PM UTC
- CVSS v3.1: Base score 9.8, Severity: CRITICAL,
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User interaction: No authentication required, Privileges Required: NONE, User Interaction: NONE
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness: CWE-287 (Improper Authentication)
Technical Details
The plugin fails to properly validate a user’s identity before updating account details such as email addresses. This improper authentication allows an unauthenticated attacker to change an arbitrary user’s email address. When sites have OTP verification enabled for password resets and the targeted account has a registered phone number for OTP, the attacker can then trigger a password reset and complete the OTP flow to take over the account.
References in the disclosure point to handlers and form processing code in the plugin, including files such as handler/forms/class-ultimatemember.php, handler/forms/class-wpresetpassword.php, and handler/smsalert_form_handler.php. These references indicate the flaw is located in the request handling and update logic for password reset and user detail updates, where identity validation checks are missing or insufficient.
The impact is limited to sites that have the OTP-for-password-resets feature enabled and where targeted accounts have a phone number configured for OTP. Sites that do not use OTP for password resets, or where users have not registered a phone number for OTP, are not affected by the described attack vector.
How This Could Impact Your Website
Consider a small site where the site owner maintains administrator access, an internal staff member acts as an editor, and an external contractor or contributor performs content updates. If the contractor or any unauthenticated attacker is able to change an editor’s or administrator’s email address via the vulnerable flow and the account is configured for OTP password resets, the attacker could reset that user’s password and gain access to the account. Practical consequences include exposure of internal user email addresses and the potential for account takeover of privileged users.
Such account access could be used to modify content, change site settings, or access private data tied to those accounts. It also raises the likelihood of targeted phishing or social engineering against staff or contractors whose contact information was changed or exposed.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and remove or limit contributor-level accounts where possible.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Disable OTP-for-password-resets if you do not need it, or ensure OTP phone numbers are only set for trusted accounts.
- Remove unused or unmaintained plugins and regularly review plugin permissions and capabilities.
- Monitor site activity and logs for unusual behavior, such as unexpected email changes, password reset attempts, or new administrative logins.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team is happy to help.
References
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-ultimatemember.php#L288
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-ultimatemember.php#L88
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L116
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L130
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L68
- https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/smsalert_form_handler.php#L91
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3587983%40sms-alert&new=3587983%40sms-alert&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c31906da-f2fd-40ac-86e0-3f1ed0409d0c?source=cve