Skip to main content

SMS Alert Order Notifications CVE-2025-26988

HIGH
SQL Injection (CWE-89)
2025-03-03 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Matches the network-reachable, low-complexity SQLi with high confidentiality and no integrity/availability impact; PR:N retained from the source vector but flagged as unverified for the entry point.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

9
Analysis Updated
Jun 26, 2026 - 17:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Severity Changed
Jun 26, 2026 - 17:22 NVD
CRITICAL HIGH
CVSS changed
Jun 26, 2026 - 17:22 NVD
9.3 (CRITICAL) 7.5 (HIGH)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
HIGH CRITICAL
CVSS changed
Apr 23, 2026 - 15:42 NVD
7.5 (HIGH) 9.3 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.5

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications - WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications - WooCommerce: from n/a through 3.7.8.

AnalysisAI

SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and including 3.7.8) lets remote attackers inject crafted SQL into backend database queries, enabling extraction of arbitrary data such as customer records, order details, and WordPress credential hashes. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with high confidentiality impact and no integrity or availability impact, consistent with a read-oriented (e.g. UNION/blind) injection. No public exploit was identified at time of analysis and EPSS is low (0.11%, 30th percentile), but the flaw was reported by Patchstack, a credible WordPress vulnerability research source.

Technical ContextAI

The affected component is a WooCommerce add-on (CPE cpe:2.3:a:cozyvision:sms_alert_order_notifications) that sends SMS notifications for store orders, running atop WordPress/WooCommerce and MySQL/MariaDB. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-controllable input is concatenated into a SQL statement without parameterized queries or proper sanitization/escaping (e.g. failure to use WordPress's $wpdb->prepare()). In WordPress plugins this class of bug commonly arises from order-lookup, reporting, or AJAX/REST handlers that pass request parameters straight into a query. Because WordPress stores all site data - including users, password hashes, and WooCommerce customer/order PII - in a shared database, a single injectable query can expose the entire schema.

RemediationAI

No fixed version is named in the available data, so apply the most specific control that holds: upgrade to the latest plugin release above 3.7.8 once Cozy Vision publishes a patched build, confirming the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-sql-injection-vulnerability?_s_id=cve) before deploying - do not assume a version number. If no patch is yet available, deactivate and remove the 'SMS Alert Order Notifications' plugin (trade-off: order SMS notifications stop), or place a WAF/virtual patch in front of the site to block SQL-injection patterns on the plugin's request parameters and endpoints (trade-off: pattern-based rules can be bypassed and may cause false positives on legitimate order data). As defense-in-depth with real impact, restrict the database account used by WordPress to the minimum required privileges and ensure it cannot read tables outside the site schema, and rotate WordPress/WooCommerce credentials and API keys if you suspect the database was already queried.

CVE-2021-24588 MEDIUM POC
6.1 Sep 06

The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerabilit

CVE-2024-13553 CRITICAL
9.8 Apr 01

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to privilege escalation via account t

CVE-2026-54803 CRITICAL
9.8 Jun 17

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4

CVE-2025-3876 HIGH
8.8 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insuff

CVE-2026-54802 HIGH
7.5 Jun 17

Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenti

CVE-2025-3878 MEDIUM
6.4 May 10

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2025-26984 MEDIUM
6.1 Mar 03

Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables

CVE-2026-32373 MEDIUM
5.4 Mar 13

Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticat

CVE-2024-10233 MEDIUM
5.4 Oct 29

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2024-1489 MEDIUM
4.3 Mar 13

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

CVE-2024-11725 HIGH
8.8 Jan 07

The SMS Alert Order Notifications - WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data

Share

CVE-2025-26988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy