CVE-2024-11725
📋 TL;DR
This vulnerability in the SMS Alert Order Notifications WooCommerce plugin allows authenticated attackers with subscriber-level access or higher to modify WordPress site options without proper authorization. Attackers can change the default user registration role to administrator and enable user registration, gaining administrative access to vulnerable WordPress sites. This affects all WordPress sites using the vulnerable plugin version with the woocommerce-warranty plugin installed.
💻 Affected Systems
- SMS Alert Order Notifications – WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, allowing them to install malicious plugins/themes, steal sensitive data, deface the site, or use it as a platform for further attacks.
Likely Case
Attackers create administrator accounts for themselves, gaining persistent access to modify site content, user data, and potentially extract sensitive information.
If Mitigated
With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and blocked before administrative access is obtained.
🎯 Exploit Status
Requires authenticated access (subscriber-level or higher) and the woocommerce-warranty plugin. Attackers need to understand WordPress option manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.7.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/sms-alert/trunk/helper/return-warranty.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SMS Alert Order Notifications – WooCommerce'. 4. Click 'Update Now' if available, or download version 3.7.7+ from WordPress.org. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the SMS Alert Order Notifications plugin until patched
wp plugin deactivate sms-alert
Remove woocommerce-warranty dependency
allDeactivate or remove the woocommerce-warranty plugin to break exploit chain
wp plugin deactivate woocommerce-warranty
🧯 If You Can't Patch
- Restrict user registration to prevent attackers from creating administrator accounts
- Implement strict access controls and monitor for unusual option changes in WordPress database
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If SMS Alert Order Notifications is version 3.7.6 or earlier, the site is vulnerable.Check Version:
wp plugin get sms-alert --field=versionVerify Fix Applied:
Verify plugin version is 3.7.7 or later. Check that the updateWcWarrantySettings() function in return-warranty.php includes proper capability checks.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with updateWcWarrantySettings action
- Sudden changes to WordPress options like default_role or users_can_register
- New administrator account creation from non-privileged users
Network Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with suspicious parameter manipulation
SIEM Query:
source="wordpress.log" AND ("updateWcWarrantySettings" OR "default_role"="administrator" OR "users_can_register"="1")🔗 References
- https://plugins.trac.wordpress.org/browser/sms-alert/trunk/helper/return-warranty.php#L74
- https://plugins.trac.wordpress.org/changeset/3198056/sms-alert/trunk/helper/return-warranty.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197777%40sms-alert&new=3197777%40sms-alert&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3199795%40sms-alert&new=3199795%40sms-alert&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207391%40sms-alert&new=3207391%40sms-alert&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/33517dba-78ac-4391-a55e-d1f13801b212?source=cve
