CVE-2024-10233 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-10233?

CVE-2024-10233 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages using the SMS Alert plugin's shortcode. When users visit compromised pages, the scripts execute in their browsers, potentially stealing session cookies or redirecting to malicious sites. All WordPress sites using SMS Alert Order Notifications plugin versions up to 3.7.5 are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages using the SMS Alert plugin's shortcode. When users visit compromised pages, the scripts execute in their browsers, potentially stealing session cookies or redirecting to malicious sites. All WordPress sites using SMS Alert Order Notifications plugin versions up to 3.7.5 are affected.

💻 Affected Systems

Products:

SMS Alert Order Notifications - WooCommerce WordPress Plugin

Versions: All versions up to and including 3.7.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with contributor role or higher; affects any WordPress site with vulnerable plugin version installed.

📦 What is this software?

Sms Alert Order Notifications by Cozyvision

View all CVEs affecting Sms Alert Order Notifications →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, or redirect users to phishing/malware sites.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal user session data or display unwanted content on affected pages.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from affected pages.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contributor-level WordPress access; attack vectors include malicious posts/pages using the sa_subscribe shortcode.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3175629/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SMS Alert Order Notifications - WooCommerce'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Remove Contributor Role Access

all

Temporarily restrict contributor-level users from creating/modifying posts until patch is applied.

Disable Plugin

all

Deactivate SMS Alert plugin if not critically needed until patched.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline script execution
Review and audit all posts/pages created by contributor-level users for suspicious shortcode usage

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → SMS Alert Order Notifications - WooCommerce → Version number. If version is 3.7.5 or lower, system is vulnerable.

Check Version:

wp plugin list --name='sms-alert' --field=version (if WP-CLI installed)

Verify Fix Applied:

After update, verify plugin version shows 3.7.6 or higher in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual post/page modifications by contributor users
Multiple failed login attempts followed by successful contributor login

Network Indicators:

Unexpected script tags in page responses containing 'sa_subscribe' attributes

SIEM Query:

source="wordpress.log" AND ("sa_subscribe" OR "contributor" AND "post_modified")

📊 Metadata

CVE ID: CVE-2024-10233

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 29, 2024

Last Updated: May 28, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3175629/ Patch
https://wordpress.org/plugins/sms-alert/#developers Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/c923d1d6-04c6-4ea2-a69e-041fea1e280a?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10233, you might also want to check these: