CVE-2026-32373 in SMS Alert Order Notifications Plugin
Summary
by MITRE • 03/13/2026
Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32373 represents a critical missing authorization flaw within the Cozy Vision SMS Alert Order Notifications plugin, specifically impacting versions ranging from the initial release through version 3.9.0. This security weakness stems from incorrectly configured access control security levels that permit unauthorized users to exploit the system's notification mechanisms. The vulnerability falls under the broader category of improper access control issues, which are systematically catalogued under CWE-285 in the Common Weakness Enumeration framework. The affected plugin appears to be designed for e-commerce environments where order notifications are sent via SMS, making it a prime target for attackers seeking to intercept sensitive transactional data.
The technical implementation of this vulnerability manifests through the failure of proper authentication checks within the plugin's notification routing system. Attackers can potentially bypass authorization mechanisms to access order details, customer information, and other sensitive data that should only be available to authorized administrative users. This misconfiguration allows unauthorized parties to trigger or intercept SMS alerts that contain critical business information, including order numbers, customer names, and potentially financial details. The flaw likely exists in the plugin's API endpoints or webhook handlers that process order notifications, where insufficient validation occurs before executing notification delivery functions. Such issues commonly align with ATT&CK technique T1566 which involves the exploitation of vulnerabilities in software to gain unauthorized access to systems and data.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates opportunities for various malicious activities including customer data theft, fraud, and competitive intelligence gathering. Organizations using affected versions of the SMS Alert Order Notifications plugin face significant risks of unauthorized access to their e-commerce transaction data, potentially leading to financial losses and regulatory compliance violations. The vulnerability's scope is particularly concerning given that it affects a widely used plugin that likely serves numerous e-commerce platforms, amplifying the potential attack surface and impact. Security professionals should note that this weakness may also facilitate further attacks as compromised systems often serve as launching points for additional exploitation attempts.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest plugin version where the authorization flaw has been addressed. The recommended approach involves verifying that all access control mechanisms are properly configured and that authentication checks are enforced at every point where sensitive data is accessed or processed. System administrators should review current plugin configurations to ensure that notification delivery functions are restricted to authorized personnel only, and that appropriate role-based access controls are implemented. Additional protective measures include monitoring for unauthorized access attempts and implementing network-level controls to restrict access to sensitive endpoints. The vulnerability's classification as a missing authorization issue underscores the importance of comprehensive access control reviews and regular security assessments to prevent similar misconfigurations from occurring in other system components.