Medium severity5.3NVD Advisory· Published Jan 10, 2026· Updated Apr 15, 2026

CVE-2025-14948

Description

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_wc_sms_notification AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.

Affected products

WordPress/Miniorange Sms Order Notification Otp Verificationinferred
Range: <=4.3.8
Package: https://wordpress.org/plugins/miniorange-sms-order-notification-otp-verification
Miniorange/OTP Verification and SMS Notification for WooCommercellm-create
Range: <=4.3.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.phpnvd
plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verificationnvd
www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000