CVE-2025-3876

Name of the Vulnerable Software and Affected Versions SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to, and including, 3.8.1

Description The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.

Recommendations For versions up to, and including, 3.8.1, consider disabling the handleWpLoginCreateUserAction() function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the username and email parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.