miniOrange OTP Verification and SMS Notification for WooCommerce

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.

Basic Information

ID CVE-2025-14948

Source Wordfence

Published Jan 10, 2026 at 07:03

Affected Product

Vendor cyberlord92

Product miniOrange OTP Verification and SMS Notification for WooCommerce

Version *

Affected Versions cyberlord92 miniOrange OTP Verification and SMS Notification for WooCommerce *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.",
    "published": "2026-01-10T07:03:55.561Z",
    "modified": "2026-01-10T07:03:55.561Z",
    "type": "cve",
    "title": "miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve\nhttps://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138\nhttps://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647",
    "id": "CVE-2025-14948",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "cyberlord92 miniOrange OTP Verification and SMS Notification for WooCommerce *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "miniOrange OTP Verification and SMS Notification for WooCommerce",
    "version": "*",
    "vendor": "cyberlord92",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification_CVE-2025-14948