CVE-2026-11387 Overview
CVE-2026-11387 is an authentication flaw in the SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress. The vulnerability affects all versions up to and including 3.9.5. The plugin fails to properly validate a user's identity before updating account details, allowing unauthenticated attackers to change arbitrary users' email addresses and reset their passwords. Sites are only vulnerable when OTP verification for password resets is enabled and the target user has registered a phone number for OTP verification. The weakness is tracked as [CWE-287: Improper Authentication].
Critical Impact
Unauthenticated attackers can take over any account, including administrator accounts, resulting in full site compromise.
Affected Products
- SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress
- All plugin versions up to and including 3.9.5
- WordPress sites with OTP verification for password resets enabled
Discovery Timeline
- 2026-07-01 - CVE-2026-11387 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-11387
Vulnerability Analysis
The SMS Alert plugin exposes password reset and account update flows that rely on OTP verification via SMS. The plugin does not adequately verify that the requester owns the account being modified before applying changes. As a result, an unauthenticated attacker can submit crafted requests to change an arbitrary user's email address, then trigger a password reset delivered to the attacker-controlled email. This account takeover chain succeeds against any account with a registered phone number, including administrators. Full administrative access permits arbitrary content changes, plugin and theme installation, and pivoting into further attacks such as webshell deployment.
Root Cause
The root cause is missing identity validation across the plugin's form handlers responsible for OTP-based password reset and user detail updates. Reference source files include handler/forms/class-ultimatemember.php, handler/forms/class-wpresetpassword.php, and handler/smsalert_form_handler.php in the 3.9.5 tag. The handlers accept user-controlled parameters that identify the target account without binding the request to an authenticated session or a verified OTP challenge tied to the account owner.
Attack Vector
Exploitation occurs over the network without authentication or user interaction. An attacker submits crafted HTTP POST requests to the plugin's OTP-related endpoints on a vulnerable WordPress site. The attacker replaces the account's email address, requests a password reset, and completes the reset using the value delivered to the attacker's mailbox. See the Wordfence Vulnerability Report and the WordPress SMS Alert Changeset for the fix details.
No verified public exploit code is available at this time. Refer to the WordPress SMS Alert Form Handler and WordPress Password Reset Class Code for the vulnerable code paths.
Detection Methods for CVE-2026-11387
Indicators of Compromise
- Unexpected changes to WordPress user email addresses, especially for administrator accounts.
- Password reset events for privileged accounts that were not initiated by the account owner.
- New administrator accounts, plugin installations, or theme changes following an unrecognized login.
- HTTP POST requests to SMS Alert plugin endpoints referencing user IDs or emails from unauthenticated sessions.
Detection Strategies
- Monitor WordPress audit logs for user_email field changes and correlate with the originating IP address and session.
- Alert on password reset completions immediately following an email change on the same account within a short time window.
- Inspect web server access logs for unauthenticated POST traffic to SMS Alert form handler URLs on sites running plugin versions at or below 3.9.5.
Monitoring Recommendations
- Enable a WordPress activity log plugin that records user profile modifications and authentication events.
- Forward WordPress and web server logs to a central SIEM for correlation across account modification and login events.
- Baseline administrator login sources and alert on logins from previously unseen IP addresses or geolocations after a profile change.
How to Mitigate CVE-2026-11387
Immediate Actions Required
- Update the SMS Alert plugin to a version later than 3.9.5 that includes the fix referenced in the plugin changeset.
- Temporarily disable the plugin's OTP verification for password resets until the update is applied.
- Audit all administrator and privileged accounts for unauthorized email changes and force password resets from a trusted channel.
- Review recent plugin, theme, and user account changes for signs of post-exploitation activity.
Patch Information
The vendor released a fix tracked in the WordPress SMS Alert Changeset. Site administrators should install the patched version through the WordPress plugin updater and verify the installed version is greater than 3.9.5. Additional technical context is available in the Wordfence Vulnerability Report.
Workarounds
- Disable the SMS Alert plugin entirely on sites where an immediate update is not possible.
- Turn off the OTP-based password reset feature in the plugin settings to eliminate the vulnerable code path.
- Remove phone numbers from administrator accounts to break the exploitation precondition.
- Restrict access to WordPress plugin endpoints using a web application firewall rule that blocks unauthenticated requests to the SMS Alert form handlers.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

