CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11387

criticalpublic exploitCVSS 9.8covered by 1 sourcefirst seen 2026-07-01
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-11387 is indexed in GitHub PoC. Expect opportunistic scanning and exploitation attempts — prioritize remediation even though it is not (yet) in the CISA KEV catalog.
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

⚡ Watch CVE-2026-11387

Get an email if CVE-2026-11387 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2026-11387 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (1)

External references

NVD record for CVE-2026-11387

CVE.org record

Embed the live status

CVE-2026-11387 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11387 status](https://www.csirts.com/badge/CVE-2026-11387)](https://www.csirts.com/cve/CVE-2026-11387)