CVE-2024-13553: 
WordPress vulnerability analysis and mitigation

The SMS Alert Order Notifications – WooCommerce plugin for WordPress contains a privilege escalation vulnerability via account takeover in versions up to and including 3.7.9. This vulnerability was discovered and reported by Wordfence, with the CVE identifier CVE-2024-13553 being assigned on April 1, 2025 (NVD, CVE).

The vulnerability stems from the plugin's implementation of Host header validation to determine if the plugin is in a playground environment. This design flaw allows unauthenticated attackers to spoof the Host header, which can force the system to accept "1234" as a valid OTP code. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

When exploited, this vulnerability allows attackers to authenticate as any user on the system, including administrators. This level of access could lead to complete site compromise, as attackers can gain unauthorized administrative access to the WordPress installation (NVD).

The vulnerability was addressed in the development release of the plugin, which includes enhanced sandbox mode options for playground environments. Users are advised to update their installations to the latest version available. The fix involves changes to the plugin's authentication mechanism and improved validation of the Host header (WordPress Plugin).