[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flLxCSCX_W3fD7hQIeruhD52PCLmU026KwLtdoXnTz5s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-32373","sms-alert-order-notifications-missing-authorization-2","SMS Alert Order Notifications \u003C= 3.9.0 - Missing Authorization","The SMS Alert Order Notifications plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","sms-alert",null,"\u003C=3.9.0","3.9.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 20:52:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F90b7fa47-ca32-41a6-ae9c-e15f361c6398?source=api-prod",57,[22,23,24,25,26],"SMSAlert-wc-order-sms.php","handler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php","helper\u002Fconstants.php","js\u002Fadmin.js","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32373\n\n## 1. Vulnerability Summary\nThe **SMS Alert Order Notifications** plugin (versions \u003C= 3.9.0) contains a missing authorization vulnerability. The plugin registers several administrative actions via an `admin_init` or `init` hook that processes a custom `option` parameter. These actions lack proper capability checks (e.g., `current_user_can( 'manage_options' )`), allowing any authenticated user with access to the WordPress dashboard—specifically users with the **Subscriber** role—to perform sensitive plugin operations such as syncing groups, creating groups, or logging the administrator out of the SMS Alert service.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php` or any admin page that triggers `admin_init` (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n- **Hook**: Likely `admin_init` or `init` within the `smsalert_WC_Order_SMS` class.\n- **Query Parameters**: \n    - `option`: Identifies the action to perform (e.g., `smsalert-group-sync`, `smsalert-woocommerce-logout`).\n    - `nonce`: A WordPress nonce (required for some actions).\n    - Other action-specific parameters like `grp_name`.\n- **Authentication**: Required (Subscriber level or higher).\n- **Preconditions**: The plugin must be active. For the \"logout\" action, the administrator should ideally be \"logged in\" to the SMS Alert service (API credentials configured).\n\n## 3. Code Flow\n1.  The plugin initializes and hooks a routing function to `admin_init` or `init`.\n2.  The routing function checks for the presence of the `option` parameter in `$_GET`.\n3.  Based on the value of `option`, the code calls specific handler functions:\n    - `smsalert-group-sync` -> Likely calls a method to sync contacts.\n    - `smsalert-woocommerce-logout` -> Calls a method to clear plugin credentials.\n4.  The handlers may check a nonce using `wp_verify_nonce()` or `check_ajax_referer()`, but they **fail to check for administrative capabilities** via `current_user_can()`.\n5.  Since a Subscriber can access `\u002Fwp-admin\u002Fprofile.php`, they trigger the `admin_init` hook, allowing them to execute these functions if they possess a valid nonce.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes a nonce for the `smsalert` object in the WordPress admin dashboard.\n\n1.  **Identify Localization**: In `js\u002Fadmin.js`, the functions `verifyUser`, `logout`, and `create_group` all use `smsalert.nonce`.\n2.  **Access for Subscriber**: Subscribers can access the WordPress admin via `\u002Fwp-admin\u002Fprofile.php`.\n3.  **Extraction**:\n    - Use `browser_navigate` to go to `\u002Fwp-admin\u002Fprofile.php` as a Subscriber.\n    - Use `browser_eval` to extract the nonce: `window.smsalert?.nonce`.\n4.  **Special Case**: The `doSASyncNow` function (handling `smsalert-group-sync`) in `js\u002Fadmin.js` (line 45) appears to send a request **without a nonce**:\n    `data:\"option=smsalert-group-sync&grp_name=\"+t`\n    If this action is verified on the backend without a nonce check, it is a zero-precondition authenticated attack.\n\n## 5. Exploitation Strategy\n\n### Target Action: `smsalert-woocommerce-logout`\nThis action is chosen because it demonstrates a disruptive \"unauthorized action\" by clearing the site's SMS service configuration.\n\n**Step-by-Step:**\n1.  **Get Nonce**: \n    - Log in as a Subscriber.\n    - Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n    - Extract `window.smsalert.nonce`.\n2.  **Execute Request**:\n    - Send a GET request to `\u002Fwp-admin\u002Fadmin.php?option=smsalert-woocommerce-logout&nonce=[NONCE]`.\n    - Use the `http_request` tool.\n3.  **Analyze Response**:\n    - A successful logout typically returns a JSON response: `{\"status\":\"success\"}` or similar, and the plugin's credentials will be cleared from the database.\n\n### Target Action: `smsalert-group-sync` (Alternative)\nIf `logout` fails due to nonce issues, try the sync action which may lack a nonce entirely.\n- **Request**: `GET \u002Fwp-admin\u002Fadmin.php?option=smsalert-group-sync&grp_name=attack_group`\n\n## 6. Test Data Setup\n1.  Install and activate WooCommerce.\n2.  Install and activate SMS Alert Order Notifications v3.9.0.\n3.  **Configure Plugin**: Go to SMS Alert settings and enter dummy API credentials (e.g., username `testuser`, password `testpass`) so that a \"logout\" action has a visible effect.\n4.  **Create Attacker**: Create a user with the `subscriber` role.\n\n## 7. Expected Results\n- **Logout Action**: The HTTP response should be a JSON success message. Post-exploit, the plugin settings for `smsalert_gateway` or similar should be empty or reset.\n- **Sync Action**: The HTTP response should indicate a success status or a \"sync completed\" message in JSON.\n\n## 8. Verification Steps\n1.  **Check Plugin Options via WP-CLI**:\n    ```bash\n    wp option get smsalert_gateway\n    ```\n    Compare the value before and after the `smsalert-woocommerce-logout` request. If the credentials\u002Fsender ID are removed, the exploit is successful.\n2.  **Check for Missing Capabilities**:\n    Verify that the Subscriber can indeed trigger the response by checking the HTTP status code (should be 200, not 403).\n\n## 9. Alternative Approaches\nIf `\u002Fwp-admin\u002Fadmin.php` redirects the Subscriber (due to `wp-admin` access restrictions often implemented by security plugins), use `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Fprofile.php` as the base URL, as both will still trigger the `admin_init` hook where the `option` parameter is likely processed:\n- `GET \u002Fwp-admin\u002Fprofile.php?option=smsalert-woocommerce-logout&nonce=[NONCE]`\n\nIf the `option` is processed via `init` rather than `admin_init`, the exploit can be launched from the frontend:\n- `GET \u002F?option=smsalert-woocommerce-logout&nonce=[NONCE]`","The SMS Alert Order Notifications plugin for WordPress is vulnerable to unauthorized access and actions because several functions lack proper capability checks and nonce validation. Authenticated attackers with subscriber-level permissions or higher can exploit these flaws to send custom SMS messages, sync contact groups, or disconnect the plugin from the SMS Alert service.","\u002F\u002F handler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php line 1488\npublic function sendCustomSms( $data )\n{\n    $order_id = empty($_POST['order_id']) ? '' : sanitize_text_field(wp_unslash($_POST['order_id']));\n    $sms_body = empty($_POST['sms_body']) ? '' : sanitize_textarea_field(wp_unslash($_POST['sms_body']));\n\n    $buyer_sms_data             = array();\n    if ( version_compare( WC_VERSION, '7.1', '\u003C' ) ) {\n      $buyer_sms_data['number']   = get_post_meta( $order_id, '_billing_phone', true );\n    } else {\n      $order       = wc_get_order($order_id);\n      $buyer_sms_data['number']   = !empty($order->get_billing_phone())?$order->get_billing_phone():$order->get_shipping_phone();\n    }\n    \n    $buyer_sms_data['sms_body'] = $sms_body;\n    $buyer_sms_data             = apply_filters('sa_wc_order_sms_customer_before_send', $buyer_sms_data, $order_id);\n    wp_send_json(SmsAlertcURLOTP::sendsms($buyer_sms_data));\n    exit();\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.0\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php\t2026-01-03 05:02:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.1\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php\t2026-02-11 02:18:12.000000000 +0000\n@@ -1488,21 +1488,24 @@\n      *\u002F\n     public function sendCustomSms( $data )\n     {\n-\t\t$order_id = empty($_POST['order_id']) ? '' : sanitize_text_field(wp_unslash($_POST['order_id']));\n-\t\t$sms_body = empty($_POST['sms_body']) ? '' : sanitize_textarea_field(wp_unslash($_POST['sms_body']));\n+\t\tif(current_user_can('manage_options') && wp_verify_nonce( $_POST['sa_custom_nonce'], 'sacustom_wp_nonce' ))\n+        {\n+\t\t\t$order_id = empty($_POST['order_id']) ? '' : sanitize_text_field(wp_unslash($_POST['order_id']));\n+\t\t\t$sms_body = empty($_POST['sms_body']) ? '' : sanitize_textarea_field(wp_unslash($_POST['sms_body']));\n \n-\t\t$buyer_sms_data             = array();\n-\t\tif ( version_compare( WC_VERSION, '7.1', '\u003C' ) ) {\n-\t\t  $buyer_sms_data['number']   = get_post_meta( $order_id, '_billing_phone', true );\n-\t\t} else {\n-\t\t  $order       = wc_get_order($order_id);\n-\t\t  $buyer_sms_data['number']   = !empty($order->get_billing_phone())?$order->get_billing_phone():$order->get_shipping_phone();\n+\t\t\t$buyer_sms_data             = array();\n+\t\t\tif ( version_compare( WC_VERSION, '7.1', '\u003C' ) ) {\n+\t\t\t  $buyer_sms_data['number']   = get_post_meta( $order_id, '_billing_phone', true );\n+\t\t\t} else {\n+\t\t\t  $order       = wc_get_order($order_id);\n+\t\t\t  $buyer_sms_data['number']   = !empty($order->get_billing_phone())?$order->get_billing_phone():$order->get_shipping_phone();\n+\t\t\t}\n+\t\t\t\n+\t\t\t$buyer_sms_data['sms_body'] = $sms_body;\n+\t\t\t$buyer_sms_data             = apply_filters('sa_wc_order_sms_customer_before_send', $buyer_sms_data, $order_id);\n+\t\t\twp_send_json(SmsAlertcURLOTP::sendsms($buyer_sms_data));\n+\t\t\texit();\n \t\t}\n-\t\t\n-\t\t$buyer_sms_data['sms_body'] = $sms_body;\n-\t\t$buyer_sms_data             = apply_filters('sa_wc_order_sms_customer_before_send', $buyer_sms_data, $order_id);\n-\t\twp_send_json(SmsAlertcURLOTP::sendsms($buyer_sms_data));\n-\t\texit();\n     }","The exploit involves an authenticated attacker with Subscriber-level access or higher. \n\n1. Log in to the WordPress dashboard as a Subscriber.\n2. For actions like `logout` or `group-sync`, obtain the `smsalert.nonce` by inspecting the global JavaScript object on an admin page (e.g., `\u002Fwp-admin\u002Fprofile.php`). Note that some actions may not require a nonce in vulnerable versions.\n3. To trigger the sensitive operations, send a request to a dashboard endpoint (like `\u002Fwp-admin\u002Fadmin.php` or via AJAX). For sending custom SMS, use a POST request to the AJAX endpoint with `action=wc_sms_alert_sms_send_order_sms`, an existing `order_id`, and the desired `sms_body`. \n4. For service disruption, send a GET request to `\u002Fwp-admin\u002Fadmin.php?option=smsalert-woocommerce-logout&nonce=[NONCE]`, which clears the plugin's API credentials without verifying the user has administrative privileges.","gemini-3-flash-preview","2026-04-19 05:33:25","2026-04-19 05:33:57",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.9.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags\u002F3.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsms-alert.3.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags\u002F3.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsms-alert.3.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags"]