CVE-2026-32373
Received Received - Intake

Missing Authorization in Cozy Vision SMS Alert Order Notifications

Vulnerability report for CVE-2026-32373, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-13

Last updated on: 2026-03-16

Assigner: Patchstack

Description

Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-13
Last Modified
2026-03-16
Generated
2026-07-06
AI Q&A
2026-03-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cozy_vision_technologies_pvt_ltd sms_alert_order_notifications From 3.0.0 (inc) to 3.9.0 (inc)
cozy_vision sms_alert_order_notifications to 3.9.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-32373 is a Broken Access Control vulnerability in the WordPress SMS Alert Order Notifications Plugin versions up to and including 3.9.0.

The vulnerability arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unprivileged users (with only subscriber-level privileges) to perform actions that should be restricted to higher-privileged roles.

This issue is classified under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows unauthorized users to perform actions reserved for higher-privileged roles due to broken access control.

However, the CVSS severity score is 5.4, indicating a low priority and low impact threat.

Exploitation requires only subscriber-level privileges, but the overall impact is considered unlikely to be significant.

Users are advised to update to version 3.9.1 or later where the issue has been patched to mitigate the risk.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the CVE-2026-32373 vulnerability, you should update the SMS Alert Order Notifications WordPress plugin to version 3.9.1 or later, where the issue has been patched.'}, {'type': 'paragraph', 'content': "Additionally, consider using Patchstack's automated update service for vulnerable plugins to facilitate rapid mitigation."}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32373. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart