CVE-2026-54802 Cozy Vision Technologies Pvt. Ltd. CVE debrief

Who should care

Administrators and security teams responsible for WordPress installations using the SMS Alert Order Notifications plugin, especially those with versions up to 3.9.3, should be aware of this vulnerability. Given its high CVSS score, immediate attention is required to assess exposure and apply necessary patches or mitigations.

Technical summary

The vulnerability, identified as CVE-2026-54802, is caused by broken authentication in the SMS Alert Order Notifications plugin. Specifically, it allows unauthenticated access due to inadequate authentication mechanisms. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited over the network with low attack complexity, no privileges required, and no user interaction needed, potentially leading to high confidentiality impacts.

Defensive priority

High

Recommended defensive actions

• Immediately update the SMS Alert Order Notifications plugin to a version beyond 3.9.3 if currently using a vulnerable version.
• Review and restrict access to sensitive areas of the WordPress site until the update can be applied.
• Monitor site logs for any suspicious activity that could indicate exploitation attempts.
• Consider implementing additional security measures such as two-factor authentication for all users.
• Regularly update all plugins and themes on the WordPress site to ensure the latest security patches are applied.
• Use a Web Application Firewall (WAF) to help detect and block exploitation attempts.

Evidence notes

The information provided is based on data from official sources, including the CVE.org and NVD databases. The CVE record and NVD detail pages provide comprehensive information about the vulnerability, including its CVSS score, vector, and potential impacts. Additional details can be found in the mitigation or vendor reference provided by Patchstack.

Official resources