Skip to content
Verified reproduction

CVE-2026-11387: SMS Alert WordPress plugin <= 3.9.5 allows unauthenticated attackers to change a user’s email and reset their password, leading to account takeover and privilege escalation when OTP password reset verification is enabled.

CVE-2026-11387 is verified against sms-alert · WordPress plugin (hosted on WordPress.org SVN, not GitHub) affected versions: <= 3.9.5 fixed version: 3.9.6 vulnerability class: Privilege Escalation This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00242.

REPRO-2026-00242 sms-alert · WordPress plugin (hosted on WordPress.org SVN, not GitHub) Privilege Escalation Variant found Jul 6, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 22m 56s
Tool calls 321
Spend $7.05
Affected <= 3.9.5
Fixed in 3.9.6
$ pruva-verify REPRO-2026-00242
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00242/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress fails to properly validate a user’s identity before updating account details during password reset flows. An unauthenticated attacker can change arbitrary users’ email addresses (including administrators), then trigger a password reset to take over the account.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json13.4 KB
bundle/vuln_variant/source_identity.json1.9 KB
bundle/vuln_variant/root_cause_equivalence.json2.3 KB
bundle/repro/reproduction_steps.sh15.8 KB
bundle/repro/rca_report.md10.2 KB
bundle/repro/runtime_manifest.json1.1 KB
bundle/repro/validation_verdict.json1.2 KB
bundle/logs/exploit_vuln_step2_headers.txt0.4 KB
bundle/logs/exploit_fixed_step2_headers.txt0.3 KB
bundle/logs/reproduction_steps.log4.2 KB
bundle/logs/patch_diff_wpresetpassword.txt1.1 KB
bundle/logs/exploit_vuln_step1_response.html29.5 KB
bundle/logs/exploit_vuln_step2_response.html0.0 KB
bundle/logs/exploit_vuln_cookies.txt0.3 KB
bundle/logs/exploit_fixed_step1_response.html29.5 KB
bundle/logs/exploit_fixed_step2_response.html72.7 KB
bundle/logs/exploit_fixed_cookies.txt0.3 KB
bundle/logs/php-server.log0.6 KB
bundle/vuln_variant/reproduction_steps.sh16.3 KB
bundle/vuln_variant/rca_report.md10.7 KB
bundle/vuln_variant/patch_analysis.md7.4 KB
bundle/vuln_variant/variant_manifest.json4.3 KB
bundle/vuln_variant/validation_verdict.json1.2 KB
bundle/vuln_variant/runtime_manifest.json1.6 KB
bundle/logs/vv_vuln_step2_headers.txt0.4 KB
bundle/logs/vv_fixed_step2_headers.txt0.3 KB
bundle/logs/vuln_variant_reproduction.log2.2 KB
bundle/logs/vv_vuln_step1.html33.5 KB
bundle/logs/vv_vuln_step1_headers.txt0.7 KB
bundle/logs/vv_vuln_step2.html0.0 KB
bundle/logs/vv_vuln_cookies.txt0.2 KB
bundle/logs/vv_fixed_step1.html33.5 KB
bundle/logs/vv_fixed_step1_headers.txt0.7 KB
bundle/logs/vv_fixed_step2.html81.2 KB
bundle/logs/vv_fixed_cookies.txt0.2 KB
bundle/logs/vv-php-server.log4.2 KB