WordPress Plugin Vulnerabilities

SMS Alert Order Notifications – WooCommerce < 3.7.0 - Cross-Site Request Forgery

Description

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missing or incorrect nonce validation on the processBulkAction function. This makes it possible for unauthenticated attackers to delete pages and posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
sms-alert
Fixed in 3.7.0

References

CVE
CVE-2024-1489
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e7a28382-facb-43a7-892a-8ca9e7f0f62b

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
0093bc3f-fd78-4095-a6d6-ce68c25a14af

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-26 (about 2 years ago)
Last Updated
2024-02-26 (about 2 years ago)

Other

Published
Title
Published
2026-01-28
Title
UsersWP < 1.2.54 - Cross-Site Request Forgery
Published
2024-05-07
Title
Squelch Tabs and Accordions Shortcodes < 0.4.8 - Cross-Site Request Forgery
Published
2023-06-02
Title
Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF)
Published
2025-11-29
Title
Duplicate Content Cure <= 1.0 - Cross-Site Request Forgery
Published
2023-06-26
Title
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - CSRF to Stored XSS