Skip to main content

Smart Notification CVE-2025-39479

| EUVDEUVD-2025-18544 CRITICAL
SQL Injection (CWE-89)
2025-06-17 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 20:02 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18544
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification allows Blind SQL Injection. This issue affects Smart Notification: from n/a through 10.3.

AnalysisAI

Blind SQL injection in Smart Notification WordPress plugin through version 10.3 allows remote unauthenticated attackers to extract sensitive database information via specially crafted requests. The vulnerability carries a CVSS score of 9.3 due to network-based attack vector, no required authentication, and potential for cross-scope impact with high confidentiality breach. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability in the wild, and no active exploitation has been confirmed via CISA KEV at time of analysis. Patchstack vulnerability database serves as the primary disclosure source.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin. The Smart Notification plugin from smartiolabs fails to properly sanitize user-supplied input before incorporating it into SQL queries, allowing attackers to inject malicious SQL commands. As a blind SQL injection variant, attackers cannot directly view query results but can infer data through timing attacks, boolean-based logic, or error messages. The WordPress plugin ecosystem commonly suffers from SQL injection when developers use direct database queries without prepared statements or proper input validation. The affected component likely processes user input through WordPress AJAX handlers, REST API endpoints, or front-end forms without adequate parameterization of database calls.

RemediationAI

Primary remediation is to upgrade Smart Notification plugin to a version newer than 10.3 if available, though no specific patched version number is confirmed in the provided intelligence data. Site administrators should check the WordPress plugin repository or smartiolabs official channels for updated releases addressing CVE-2025-39479. Patchstack reference at https://patchstack.com/database/wordpress/plugin/smio-push-notification/vulnerability/wordpress-smart-notification-plugin-10-3-sql-injection-vulnerability may contain additional remediation guidance. If no patched version exists or immediate upgrade is not feasible, implement compensating controls: disable and deactivate the Smart Notification plugin entirely until a fix is available, restrict WordPress admin access to trusted IP addresses only, implement web application firewall (WAF) rules to detect SQL injection patterns in HTTP requests targeting the plugin's endpoints (noting this may cause false positives and requires ongoing tuning), enable database query logging to detect exploitation attempts (with performance overhead considerations), and review database access logs for suspicious query patterns. For environments requiring the notification functionality, consider temporary replacement with alternative WordPress notification plugins that have recent security audits.

Share

CVE-2025-39479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy