CVE-2026-32373

Vulnerability

Overview

The SMS Alert Order Notifications plugin for WordPress (versions n/a through 3.9.0) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks, allowing unauthenticated users to exploit incorrectly configured security levels [1]. This is a classic broken access control issue where functions lack necessary authentication or nonce token checks.

Exploitation

Attackers can exploit this vulnerability without any prior authentication. The missing authorization means that any unauthenticated visitor to a WordPress site running the vulnerable plugin can trigger higher-privileged actions that should be restricted to administrators or other authorized roles. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions normally reserved for higher-privileged users, potentially leading to unauthorized configuration changes, data exposure, or further compromise of the WordPress installation. The CVSS v3 base score of 5.4 (Medium) reflects the moderate severity, though the ease of exploitation (no authentication required) increases the practical risk.

Mitigation

The vulnerability has been patched in version 3.9.1 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins.