SMS Alert Order Notifications – WooCommerce <= 3.7.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Vulnerability

The SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to and including 3.7.6 contains a missing capability check on the updateWcWarrantySettings() function. This allows authenticated attackers with subscriber-level access or higher to update arbitrary options on the WordPress site via the plugin's functionality. Exploitation requires the woocommerce-warranty plugin to be installed [1].

Exploitation

An attacker with subscriber-level access can exploit the missing capability check by calling the updateWcWarrantySettings() function, which lacks proper authorization checks. The attacker can craft a request to update arbitrary WordPress options, such as default_role and users_can_register, enabling user registration and setting the default role to administrator. No additional privileges beyond subscriber-level authentication are needed, but the woocommerce-warranty plugin must be present [1].

Impact

Successful exploitation allows the attacker to escalate privileges by creating new administrator accounts or assigning administrator access to existing accounts. This results in full administrative control over the WordPress site, leading to complete compromise of confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is fixed in version 3.9.5 of the plugin, released per the WordPress plugin repository. Users should update to version 3.9.5 or later immediately. The woocommerce-warranty plugin is required for exploitation, but updating SMS Alert addresses the root cause, regardless of other installed plugins [1].