The SMS Alert Order Notifications – WooCommerce plugin, developed by cozyvision1, suffers from a critical privilege escalation vulnerability identified as CVE-2025-3876. The root cause is a missing authorization check (CWE-862) in the handleWpLoginCreateUserAction() function, which fails to properly validate user One-Time Passwords (OTPs) during login or user creation workflows. This flaw allows any authenticated user with at least Subscriber-level privileges to impersonate other users by submitting their username or email address. Consequently, attackers can escalate their privileges to administrator level, gaining full control over the WordPress site. The vulnerability affects all plugin versions up to and including 3.8.1, which is widely used in WooCommerce environments for SMS order notifications. The CVSS v3.1 base score is 8.8, reflecting its network attack vector, low attack complexity, required privileges at the low level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the ease of exploitation and the critical access gained upon successful attack. The lack of available patches at the time of publication necessitates immediate attention from site administrators.

Successful exploitation of CVE-2025-3876 enables attackers to fully compromise affected WordPress sites by escalating from low-privilege Subscriber accounts to administrator accounts. This can lead to unauthorized access to sensitive customer data, modification or deletion of e-commerce orders, injection of malicious code or backdoors, disruption of site availability, and potential lateral movement within the hosting environment. Organizations relying on WooCommerce with this plugin are at risk of financial fraud, reputational damage, and regulatory non-compliance due to data breaches. The vulnerability’s network accessibility and lack of user interaction requirements increase the likelihood of automated or targeted attacks. Given WooCommerce’s extensive use in global e-commerce, the impact can be widespread, affecting online retailers of all sizes.

1. Immediately upgrade the SMS Alert Order Notifications – WooCommerce plugin to a patched version once released by cozyvision1. Monitor vendor advisories for updates. 2. Until a patch is available, restrict plugin usage to trusted users only and consider disabling the plugin temporarily to prevent exploitation. 3. Implement strict access controls to limit Subscriber-level accounts and regularly audit user roles and permissions. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit the handleWpLoginCreateUserAction() function. 5. Monitor WordPress logs for unusual login or user creation activities, especially those involving privilege changes. 6. Enforce multi-factor authentication (MFA) for all administrative accounts to reduce risk if privilege escalation occurs. 7. Conduct regular security assessments and penetration tests focusing on WordPress plugins and authentication flows. 8. Backup site data frequently and maintain incident response plans to quickly recover from compromises.