cleantalk
Vulnerabilities and Security Researches

SMS Alert Order Notifications – WooCommerce, CVE-2025-3876

CVE, Research URL

CVE-2025-3876

Home page URL

Security reports for SMS Alert Order Notifications – WooCommerce

Application

SMS Alert Order Notifications – WooCommerce

Published on
May 10, 2025
Research Description
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
Affected versions
Min -, max 3.8.2.
Status
vulnerable
Previous vulnerability researches
Panda Pods Repeater Field (CVE-2022-4306) , Jun 06, 2024
Pods – Custom Content Types and Fields (CVE-2024-11849) , Jan 07, 2025
Pods – Custom Content Types and Fields (CVE-2025-1446) , May 08, 2025
Pods – Custom Content Types and Fields (CVE-2014-7956) , Jun 07, 2024
Pods – Custom Content Types and Fields (CVE-2023-6999) , Jun 07, 2024
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
WordPress Review Plugin: The Ultimate Solution for Building a Review Website (CVE-2025-2158) , May 11, 2025
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025