Skip to content

CVE lookup

CVE-2026-11387

Pruva has a verified reproduction for CVE-2026-11387: SMS Alert WordPress plugin <= 3.9.5 allows unauthenticated attackers to change a user’s email and reset their password, leading to account takeover and privilege escalation when OTP password reset verification is enabled.. The canonical evidence record is REPRO-2026-00242.

REPRO

REPRO-2026-00242

Package

sms-alert · WordPress plugin (hosted on WordPress.org SVN, not GitHub)

Severity

CRITICAL

Status

published