CVE-2026-54802
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-54802
EUVD
EUVD-2026-37638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack sms_alert_order_notifications_plugin to 3.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress SMS Alert Order Notifications Plugin, versions 3.9.3 and earlier, contains a high-priority Broken Authentication vulnerability (CVE-2026-54802).

This flaw allows unauthenticated attackers to perform actions that are normally restricted to higher-privileged users, potentially gaining admin access to the website.

It falls under the OWASP Top 10 category A7: Identification and Authentication Failures.

Impact Analysis

This vulnerability can allow unauthenticated attackers to gain administrative access to your website.

Such unauthorized access can lead to unauthorized changes, data breaches, or control over your website's functionality.

The vulnerability is actively exploitable and has been targeted in mass-exploit campaigns affecting thousands of websites.

Immediate mitigation is necessary to prevent potential damage.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate the CVE-2026-54802 vulnerability in the WordPress SMS Alert Order Notifications Plugin (versions 3.9.3 and earlier), you should immediately update the plugin to version 3.9.4 or later.

Alternatively, you can apply the mitigation rule provided by Patchstack or enable auto-updates for the plugin to prevent exploitation.

Compliance Impact

The vulnerability is an unauthenticated broken authentication flaw that allows attackers to gain admin access to the website, which falls under OWASP Top 10 category A7: Identification and Authentication Failures.

Such a vulnerability can lead to unauthorized access to sensitive data, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strong authentication and protection of personal and health information.

Immediate mitigation is necessary to prevent exploitation that could result in data breaches or unauthorized data access, which are critical compliance concerns under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart