SMS Alert Order Notifications
CVE-2025-26988
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Matches the network-reachable, low-complexity SQLi with high confidentiality and no integrity/availability impact; PR:N retained from the source vector but flagged as unverified for the entry point.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
9DescriptionNVD
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications - WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications - WooCommerce: from n/a through 3.7.8.
AnalysisAI
SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and including 3.7.8) lets remote attackers inject crafted SQL into backend database queries, enabling extraction of arbitrary data such as customer records, order details, and WordPress credential hashes. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with high confidentiality impact and no integrity or availability impact, consistent with a read-oriented (e.g. UNION/blind) injection. No public exploit was identified at time of analysis and EPSS is low (0.11%, 30th percentile), but the flaw was reported by Patchstack, a credible WordPress vulnerability research source.
Technical ContextAI
The affected component is a WooCommerce add-on (CPE cpe:2.3:a:cozyvision:sms_alert_order_notifications) that sends SMS notifications for store orders, running atop WordPress/WooCommerce and MySQL/MariaDB. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-controllable input is concatenated into a SQL statement without parameterized queries or proper sanitization/escaping (e.g. failure to use WordPress's $wpdb->prepare()). In WordPress plugins this class of bug commonly arises from order-lookup, reporting, or AJAX/REST handlers that pass request parameters straight into a query. Because WordPress stores all site data - including users, password hashes, and WooCommerce customer/order PII - in a shared database, a single injectable query can expose the entire schema.
RemediationAI
No fixed version is named in the available data, so apply the most specific control that holds: upgrade to the latest plugin release above 3.7.8 once Cozy Vision publishes a patched build, confirming the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-sql-injection-vulnerability?_s_id=cve) before deploying - do not assume a version number. If no patch is yet available, deactivate and remove the 'SMS Alert Order Notifications' plugin (trade-off: order SMS notifications stop), or place a WAF/virtual patch in front of the site to block SQL-injection patterns on the plugin's request parameters and endpoints (trade-off: pattern-based rules can be bypassed and may cause false positives on legitimate order data). As defense-in-depth with real impact, restrict the database account used by WordPress to the minimum required privileges and ensure it cannot read tables outside the site schema, and rotate WordPress/WooCommerce credentials and API keys if you suspect the database was already queried.
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t
Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff
Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables
Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all
The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today