PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54803 Cozy Vision Technologies Pvt. Ltd. CVE debrief

A critical vulnerability was discovered in the SMS Alert Order Notifications plugin, allowing for subscriber privilege escalation. This issue, tracked as CVE-2026-54803, has a CVSS score of 9.8 and was published on June 17, 2026. The vulnerability affects versions up to 3.9.4 and allows attackers to escalate privileges due to inadequate access controls. Organizations using this plugin should take immediate action to mitigate the risk. The vulnerability was reported by Patchstack and is considered critical due to its potential impact on site security. Users of the affected plugin versions are advised to update to a patched version as soon as possible.

Vendor
Cozy Vision Technologies Pvt. Ltd.
Product
SMS Alert Order Notifications
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and security teams responsible for WordPress installations using the SMS Alert Order Notifications plugin, especially those with subscriber-level access, should be aware of this vulnerability. Given the critical severity and potential for privilege escalation, immediate attention is necessary to prevent exploitation.

Technical summary

CVE-2026-54803 is a critical vulnerability in the SMS Alert Order Notifications plugin for WordPress, affecting versions up to 3.9.4. The issue allows for subscriber privilege escalation due to insufficient access controls. The CVSS:3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-863, Improper Access Control.

Defensive priority

critical

Recommended defensive actions

  • Update the SMS Alert Order Notifications plugin to a version beyond 3.9.4 immediately.
  • Review and restrict subscriber-level access controls to prevent unauthorized privilege escalation.
  • Implement additional monitoring to detect and respond to potential exploitation attempts.
  • Consider enhancing access controls and authentication mechanisms for WordPress installations.
  • Regularly review and update all plugins and themes to ensure they are current and patched.
  • Limit the use of subscriber-level accounts to minimize the attack surface.
  • Consult the official CVE record and vendor references for further guidance and updates.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE was published and modified on June 17, 2026. The vulnerability's details and impact are derived from official sources and should be considered reliable.

Official resources

public