CVE-2026-11387
Received Received - Intake

Privilege Escalation via Account Takeover in SMS Alert WooCommerce Plugin

Vulnerability report for CVE-2026-11387, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce sms_alert to 3.9.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress, affecting all versions up to and including 3.9.5.

It allows unauthenticated attackers to escalate privileges by taking over user accounts. This happens because the plugin does not properly verify a user's identity before allowing updates to sensitive details such as email addresses.

Attackers can change the email address of any user, including administrators, and then use that to reset the user's password via OTP verification, gaining full access to the account.

This vulnerability only affects sites that have OTP verification enabled for password resets and where the targeted user has a phone number set for OTP verification.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to gain unauthorized access to user accounts, including administrator accounts.

Once an attacker takes over an administrator account, they can control the entire WordPress site, potentially leading to data theft, site defacement, installation of malicious code, or complete site takeover.

The CVSS score of 9.8 indicates a critical severity, meaning the vulnerability is easy to exploit remotely without any privileges or user interaction, and it results in high confidentiality, integrity, and availability impacts.

Mitigation Strategies

To mitigate this vulnerability, you should update the SMS Alert – SMS & OTP for WooCommerce plugin to a version later than 3.9.5 where the issue is fixed.

Additionally, consider disabling OTP verification for password resets until the plugin is updated, especially if administrators or users have phone numbers set for OTP verification.

Review user accounts for any unauthorized changes, particularly email addresses and passwords, and monitor for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart