CVE lookup
CVE-2026-11387
Pruva has a verified reproduction for CVE-2026-11387: SMS Alert WordPress plugin <= 3.9.5 allows unauthenticated attackers to change a user’s email and reset their password, leading to account takeover and privilege escalation when OTP password reset verification is enabled.. The canonical evidence record is REPRO-2026-00242.
REPRO
REPRO-2026-00242
Package
sms-alert · WordPress plugin (hosted on WordPress.org SVN, not GitHub)
Severity
CRITICAL
Status
published