The SMS Alert Order Notifications – WooCommerce plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of user input in the sa_verify shortcode. Authenticated users with contributor-level permissions or higher can inject malicious scripts that persist in plugin-generated pages. This occurs because the plugin fails to properly sanitize and escape user-supplied attributes before rendering them in web pages. The vulnerability affects all versions up to 3.8.1. Exploitation requires authenticated access with limited privileges but no user interaction is needed once the malicious script is stored. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability.

Successful exploitation allows an authenticated attacker with contributor-level access or higher to execute arbitrary JavaScript in the context of affected users' browsers when they visit the injected page. This can lead to theft of sensitive information, session hijacking, or other malicious actions limited to the scope of the affected site. The vulnerability does not impact availability and requires some level of authenticated access, reducing its overall severity compared to unauthenticated XSS.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the plugin if feasible. Monitor for updates from the vendor and apply patches promptly once available. No vendor advisory or patch links are currently provided.