CVE-2026-32373: SMS Alert Order Notifications Auth Bypass

CVE-2026-32373 Overview

CVE-2026-32373 is a Missing Authorization vulnerability affecting the Cozy Vision SMS Alert Order Notifications WordPress plugin (sms-alert). This broken access control flaw allows attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized actions within affected WordPress installations.

The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly verify user permissions before allowing access to sensitive functionality. This type of vulnerability is particularly concerning in e-commerce environments where the SMS Alert plugin is commonly deployed to handle order notifications.

Critical Impact

Authenticated attackers with low privileges can bypass authorization checks to potentially modify plugin settings or access restricted functionality, leading to integrity and availability impacts on affected WordPress sites.

Affected Products

• Cozy Vision SMS Alert Order Notifications plugin for WordPress versions through 3.9.0
• WordPress installations utilizing the sms-alert plugin
• E-commerce sites using SMS notification functionality

Discovery Timeline

• 2026-03-13 - CVE-2026-32373 published to NVD
• 2026-03-16 - Last updated in NVD database

Technical Details for CVE-2026-32373

Vulnerability Analysis

This Missing Authorization vulnerability (CWE-862) in the SMS Alert Order Notifications plugin represents a classic broken access control issue. The vulnerability allows authenticated users with minimal privileges to access functionality that should be restricted to higher-privileged users such as administrators.

The attack requires network access and can be executed by any authenticated user, meaning even subscribers or customers with basic WordPress accounts could potentially exploit this flaw. The vulnerability affects both the integrity and availability of the system, allowing unauthorized modifications and potential disruption of SMS notification services.

Root Cause

The root cause of CVE-2026-32373 lies in missing or inadequate authorization checks within the SMS Alert plugin's code. The plugin fails to properly verify that users have appropriate capabilities before processing certain requests. This is a common issue in WordPress plugins where developers may rely solely on authentication (checking if a user is logged in) without implementing proper authorization (checking if the user has permission to perform the requested action).

WordPress plugins should implement capability checks using functions like current_user_can() to verify user permissions before executing privileged operations. The absence of such checks in the affected versions of the sms-alert plugin creates this security gap.

Attack Vector

The attack vector is network-based and requires low privileges to exploit. An attacker must first authenticate to the WordPress site with any valid account, even one with minimal permissions. Once authenticated, the attacker can craft requests to access plugin functionality that should be restricted to administrators or other privileged roles.

The vulnerability does not require user interaction, meaning an attacker can exploit it directly without needing to trick a victim into performing any actions. This makes automated exploitation feasible once valid credentials are obtained.

Detection Methods for CVE-2026-32373

Indicators of Compromise

• Unexpected changes to SMS Alert plugin configuration settings
• Unusual API activity or requests to sms-alert plugin endpoints from low-privileged user accounts
• Audit log entries showing plugin administrative actions performed by non-administrator users
• Modified notification templates or recipient lists without authorized changes

Detection Strategies

• Monitor WordPress audit logs for unauthorized access to SMS Alert plugin settings
• Implement Web Application Firewall (WAF) rules to detect anomalous requests to /wp-admin/admin-ajax.php with sms-alert related actions
• Review user activity logs for privilege escalation patterns or unauthorized plugin interactions
• Deploy file integrity monitoring to detect unauthorized changes to plugin configuration files

Monitoring Recommendations

• Enable comprehensive WordPress activity logging using security plugins
• Configure alerts for administrative actions performed by non-administrator accounts
• Monitor network traffic for unusual patterns of requests to the sms-alert plugin endpoints
• Regularly audit user permissions and remove unnecessary accounts with elevated privileges

How to Mitigate CVE-2026-32373

Immediate Actions Required

• Update the SMS Alert Order Notifications plugin to a patched version when available
• Review and restrict user permissions, ensuring only necessary accounts have access to the WordPress dashboard
• Audit plugin settings for any unauthorized modifications
• Consider temporarily disabling the plugin if a patch is not yet available and SMS alerts are not critical

Patch Information

Organizations should monitor the Patchstack Vulnerability Database Entry for updates on available patches. Plugin updates can typically be applied through the WordPress admin dashboard under Plugins > Updates, or by downloading the latest version from the WordPress plugin repository.

Workarounds

• Implement additional access controls at the web server level to restrict access to plugin administrative functions
• Use WordPress security plugins to add extra authorization layers
• Limit the number of registered users with any level of dashboard access
• Apply the principle of least privilege by auditing all user accounts and removing unnecessary access
• Consider using a WAF to block potentially malicious requests targeting the plugin

# WordPress CLI command to list and audit users with admin capabilities
wp user list --role=administrator --fields=ID,user_login,user_email

# Verify plugin version
wp plugin list --name=sms-alert --fields=name,version,status

# Update plugin when patch is available
wp plugin update sms-alert