CVE-2024-13553

Name of the Vulnerable Software and Affected Versions SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to, and including, 3.7.9

Description The issue allows for privilege escalation via account takeover. This is due to the plugin using the Host header to determine if it is in a playground environment, making it possible for unauthenticated attackers to spoof the Host header, set the OTP code to "1234", and authenticate as any user, including administrators.

Recommendations For versions up to, and including, 3.7.9, update to a version higher than 3.7.9 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.