External risk intelligence

WordPress SMS Alert Plugin Account Takeover Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-11387

The vulnerability exists in a WordPress plugin designed for customer-facing e-commerce functionality, such as order notifications and OTP verification. Plugins installed on public-facing websites to facilitate user interactions or account management are inherently reachable from the internet as part of the standard web application surface.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in a WordPress plugin used for SMS alerts and notifications. The issue allows unauthenticated attackers to potentially take over any user account, including administrator accounts, by manipulating password reset processes. This is particularly concerning if the site uses OTP verification for password resets and has administrator phone numbers configured.

  • Attackers can take over user accounts.
  • Confirms exposure to potential account takeover.
  • Assess relevance and potential administrator account impact.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can initiate an account takeover by exploiting a flaw in how user identities are verified before details are updated. This allows the attacker to change a user's email address, which can then be leveraged to reset the password and gain full control of the targeted account, including administrative ones. This attack is only possible on sites that use OTP verification for password resets and have a phone number configured for it.

  • Attacker needs no prior access.
  • Triggered by updating user details.
  • Risk of full account takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to take over any user account, including administrators, on sites that use One-Time Password (OTP) verification for password resets and have a phone number configured for OTP. This is achieved by an attacker changing a user's email address and then using that to reset the password and gain access.

  • Administrator accounts and their associated data.
  • Unauthenticated attacker changes user email.
  • Full account access and potential data compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

In a real-world scenario, the platform or infrastructure team responsible for the WordPress deployment would likely be the first point of contact. They should collaborate with the application owner of the "SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery" plugin to identify all instances of this technology, confirm if they are exposed externally and are business-critical, and then prioritize remediation efforts based on the potential impact of account takeover. Coordination with the vendor may also be necessary to understand the full scope of the fix and any associated risks.

  • Platform and application owners should manage.
  • Verify external reachability and business criticality.
  • Plan remediation based on exposure and impact.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the SMS Alert plugin for WooCommerce?

It is a WordPress extension that handles transactional messaging, such as SMS order notifications and abandoned cart recovery. It also provides extra security features for e-commerce sites, including One-Time Password (OTP) verification for user accounts. By integrating directly with WooCommerce, it allows store owners to communicate with customers and manage account verification steps via mobile devices.

What does CVE-2026-11387 mean for my site security?

This CVE describes a flaw classified as Improper Authentication (CWE-287). In plain terms, the plugin fails to verify who is making a request before allowing changes to sensitive account details. Because of this, an attacker can modify a user's registered email address without logging in, ultimately letting them reset that user's password and take full control of the account, including administrative profiles.

How can an attacker trigger this vulnerability?

An attacker targets the plugin's identity verification process during account updates. The vulnerability only triggers if the website has specifically enabled OTP verification for password resets and the target user—such as an administrator—has a phone number already saved in their account profile. If OTP verification for password resets is disabled or no phone number is configured for the target, the specific conditions for this takeover path are not met.

Do I need to worry if my WordPress site is public?

Yes. Halo Surface Signal identifies this as an external vulnerability because the plugin is designed for customer-facing e-commerce tasks. Because these features are inherently reachable from the internet to facilitate user interactions, your site is exposed to anyone who can access your WordPress login or registration flows. This accessibility makes it a primary target for unauthorized account takeovers.

When should I take action against this threat?

You should prioritize this immediately if you use the SMS Alert plugin. Start by confirming if your site has the vulnerable OTP password reset feature enabled. Coordinate with your team to audit all WordPress installations for this specific plugin. Once identified, follow vendor guidance to apply security updates or remove the plugin until a secure version is verified, effectively closing the window for unauthorized account access.

References