Horizon Alert
Summary of the vulnerability and why it matters
This advisory highlights a critical vulnerability in a WordPress plugin used for SMS alerts and notifications. The issue allows unauthenticated attackers to potentially take over any user account, including administrator accounts, by manipulating password reset processes. This is particularly concerning if the site uses OTP verification for password resets and has administrator phone numbers configured.
- Attackers can take over user accounts.
- Confirms exposure to potential account takeover.
- Assess relevance and potential administrator account impact.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can initiate an account takeover by exploiting a flaw in how user identities are verified before details are updated. This allows the attacker to change a user's email address, which can then be leveraged to reset the password and gain full control of the targeted account, including administrative ones. This attack is only possible on sites that use OTP verification for password resets and have a phone number configured for it.
- Attacker needs no prior access.
- Triggered by updating user details.
- Risk of full account takeover.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker to take over any user account, including administrators, on sites that use One-Time Password (OTP) verification for password resets and have a phone number configured for OTP. This is achieved by an attacker changing a user's email address and then using that to reset the password and gain access.
- Administrator accounts and their associated data.
- Unauthenticated attacker changes user email.
- Full account access and potential data compromise.
Operational Fix
Recommended remediation, mitigation, and detection steps
In a real-world scenario, the platform or infrastructure team responsible for the WordPress deployment would likely be the first point of contact. They should collaborate with the application owner of the "SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery" plugin to identify all instances of this technology, confirm if they are exposed externally and are business-critical, and then prioritize remediation efforts based on the potential impact of account takeover. Coordination with the vendor may also be necessary to understand the full scope of the fix and any associated risks.
- Platform and application owners should manage.
- Verify external reachability and business criticality.
- Plan remediation based on exposure and impact.