SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting
Description
The SMS Alert Order Notifications plugin for WordPress before 3.4.7 contains an authenticated stored XSS vulnerability in its settings page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The SMS Alert Order Notifications plugin for WordPress before 3.4.7 contains an authenticated stored XSS vulnerability in its settings page.
Vulnerability
The SMS Alert Order Notifications plugin for WordPress (versions before 3.4.7) suffers from a cross-site scripting (XSS) vulnerability in its settings page. The flaw allows an authenticated attacker with administrative privileges to inject arbitrary JavaScript into the plugin's configuration interface. [1]
Exploitation
An attacker must have administrative access to the WordPress site. The attacker can then navigate to the plugin's settings page and inject malicious script into one of the input fields. The script is stored and executed when other administrators view the settings page. [1]
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the admin dashboard. This could result in session hijacking, defacement, or further compromise of the WordPress site. [1]
Mitigation
The vulnerability is fixed in version 3.4.7 of the plugin. Users should update to this version or later. No workarounds are documented. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.4.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization on the plugin's setting page allows stored cross-site scripting."
Attack vector
An authenticated attacker with access to the plugin's settings page can inject malicious JavaScript into an input field that is not properly sanitized. When the unsanitized input is later rendered in the admin interface, the injected script executes in the context of another administrator's browser session [CWE-79]. The advisory classifies this as a cross-site scripting (XSS) vulnerability on the plugin's setting page [ref_id=1].
Affected code
The plugin's setting page is the affected area. No specific function names or file paths are disclosed in the advisory [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 3.4.7 of the SMS Alert Order Notifications plugin [ref_id=1]. No patch diff is provided, but the fix likely involves adding output escaping or input sanitization to the setting page fields that were previously rendered unsanitized, preventing injected script content from being executed in the browser.
Preconditions
- authAttacker must be authenticated and have access to the plugin's settings page
- configThe vulnerable plugin version must be prior to 3.4.7
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/dc2ce546-9da1-442c-8ee2-cd660634501fmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.