Unrated severityNVD Advisory· Published Apr 1, 2025· Updated Apr 8, 2026

SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation

CVE-2024-13553

Description

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.

Affected products

SMS Alert/SMS Alert Order Notifications – WooCommercellm-create
Range: <=3.7.9
cozyvision1/SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recoveryv5
Range: 0
WordPress/SMS Alert Order Notificationswp-canonicalize

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000