{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14948", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T04:14:38.233Z", "datePublished": "2026-01-10T07:03:55.561Z", "dateUpdated": "2026-04-08T17:33:56.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:56.682Z"}, "affected": [{"vendor": "cyberlord92", "product": "miniOrange OTP Verification and SMS Notification for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders."}], "title": "miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138"}, {"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdualrhman Muzamil"}], "timeline": [{"time": "2025-12-19T04:30:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T13:07:44.985945Z", "id": "CVE-2025-14948", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:08:10.342Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T13:07:44.985945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:08:07.591Z"}}], "cna": {"title": "miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Abdualrhman Muzamil"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cyberlord92", "product": "miniOrange OTP Verification and SMS Notification for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T04:30:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138"}, {"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647"}], "descriptions": [{"lang": "en", "value": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:56.682Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14948", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:56.682Z", "dateReserved": "2025-12-19T04:14:38.233Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-10T07:03:55.561Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders."}, {"lang": "es", "value": "El plugin miniOrange OTP Verification and SMS Notification for WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la ausencia de una comprobaci\u00f3n de capacidad en la acci\u00f3n AJAX 'enable_wc_sms_notification' en todas las versiones hasta la 4.3.8, inclusive. Esto posibilita que atacantes no autenticados habiliten o deshabiliten la configuraci\u00f3n de notificaciones por SMS para los pedidos de WooCommerce."}], "id": "CVE-2025-14948", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-10T07:16:02.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:27:26.650619+00:00", "value": {"mitigation_remediation": ["Update the miniOrange OTP Verification and SMS Notification for WooCommerce plugin to any release newer than 4.3.8.", "If an update is not feasible, remove or disable the enable_wc_sms_notification AJAX handler to block unauthenticated modification attempts.", "Implement a custom capability check to ensure that only users with the \"manage_woocommerce\" capability (or equivalent) can invoke the notification change action, restoring proper authorization controls."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the WordPress plugin \"miniOrange OTP Verification and SMS Notification for WooCommerce\" by cyberlord92. All releases with a version number of 4.3.8 or earlier are impacted. Site operators using these versions on WooCommerce\u2011based e\u2011commerce sites that rely on SMS notifications for order updates are at risk.", "description_and_impact": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin lacks a capability check on the enable_wc_sms_notification AJAX action in all versions up to 4.3.8. This omission allows any unauthenticated user to trigger the action and enable or disable SMS notification settings for WooCommerce orders. The resulting privilege\u2011bypass can alter order communication behavior, potentially preventing customers from receiving order confirmations or allowing attackers to disable security notifications.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate impact, and the EPSS value of less than 1\u202f% suggests a low probability of exploitation at this time. The weakness is classified as CWE\u2011862 (Missing Authorization). Exploitation requires only a crafted AJAX request to the vulnerable endpoint and does not require authenticated access, making the attack vector remote and straightforward for attackers who discover the endpoint."}}}}, "created": "2026-01-12T14:36:20.190575+00:00", "updated": "2026-04-21T00:30:22.978100+00:00", "vendors": ["miniorange", "miniorange$PRODUCT$otp_verification", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}