CVE-2025-66086

The SMS Alert Order Notifications plugin for WordPress (versions up to and including 3.8.8) suffers from a missing authorization vulnerability [1]. This means that certain functions within the plugin do not properly verify that the user has the required privileges, effectively allowing access controls to be bypassed.

An attacker can exploit this vulnerability without needing any authentication, simply by sending crafted requests to the vulnerable endpoints. Since the vulnerability affects a widely-used plugin, it is likely to be targeted in automated mass-exploit campaigns aimed at compromising thousands of WordPress sites [1].

Successful exploitation could allow an unprivileged attacker to perform actions that should be restricted to higher-privileged users, such as modifying order notifications or accessing sensitive data. The exact impact depends on the specific missing authorization checks, but it can lead to unauthorized access and potential site compromise.

To mitigate this issue, users must update the plugin to version 3.8.9 or later, which contains the necessary security fixes. No other workarounds have been provided, so updating is the recommended course of action [1].