cleantalk
Vulnerabilities and Security Researches

SMS Alert Order Notifications – WooCommerce, CVE-2024-13553

CVE, Research URL

CVE-2024-13553

Home page URL

Security reports for SMS Alert Order Notifications – WooCommerce

Application

SMS Alert Order Notifications – WooCommerce

Published on
Apr 01, 2025
Research Description
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
Affected versions
max 3.8.0.
Status
vulnerable
Previous vulnerability researches
Admin SMS Alert (CVE-2024-51637) , Nov 05, 2024
SMS Alert Order Notifications – WooCommerce (CVE-2024-11725) , Jan 08, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2024-1489) , Jun 07, 2024
New vulnerability
JB News Ticker (CVE-2025-11804) , Nov 11, 2025
My auctions allegro (CVE-2025-10048) , Nov 11, 2025
Sertifier Certificates & Open Badges – Tutor LMS (CVE-2025-53214) , Nov 11, 2025
Toast Mobile Menu – PageSpeed Insights Friendly (CVE-2025-53238) , Nov 11, 2025
Stripe Payment forms for WordPress Plugin – WP Full Pay (CVE-2025-9322) , Nov 11, 2025