Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification allows Blind SQL Injection. This issue affects Smart Notification: from n/a through 10.3.
AnalysisAI
Blind SQL injection in Smart Notification WordPress plugin through version 10.3 allows remote unauthenticated attackers to extract sensitive database information via specially crafted requests. The vulnerability carries a CVSS score of 9.3 due to network-based attack vector, no required authentication, and potential for cross-scope impact with high confidentiality breach. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability in the wild, and no active exploitation has been confirmed via CISA KEV at time of analysis. Patchstack vulnerability database serves as the primary disclosure source.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin. The Smart Notification plugin from smartiolabs fails to properly sanitize user-supplied input before incorporating it into SQL queries, allowing attackers to inject malicious SQL commands. As a blind SQL injection variant, attackers cannot directly view query results but can infer data through timing attacks, boolean-based logic, or error messages. The WordPress plugin ecosystem commonly suffers from SQL injection when developers use direct database queries without prepared statements or proper input validation. The affected component likely processes user input through WordPress AJAX handlers, REST API endpoints, or front-end forms without adequate parameterization of database calls.
RemediationAI
Primary remediation is to upgrade Smart Notification plugin to a version newer than 10.3 if available, though no specific patched version number is confirmed in the provided intelligence data. Site administrators should check the WordPress plugin repository or smartiolabs official channels for updated releases addressing CVE-2025-39479. Patchstack reference at https://patchstack.com/database/wordpress/plugin/smio-push-notification/vulnerability/wordpress-smart-notification-plugin-10-3-sql-injection-vulnerability may contain additional remediation guidance. If no patched version exists or immediate upgrade is not feasible, implement compensating controls: disable and deactivate the Smart Notification plugin entirely until a fix is available, restrict WordPress admin access to trusted IP addresses only, implement web application firewall (WAF) rules to detect SQL injection patterns in HTTP requests targeting the plugin's endpoints (noting this may cause false positives and requires ongoing tuning), enable database query logging to detect exploitation attempts (with performance overhead considerations), and review database access logs for suspicious query patterns. For environments requiring the notification functionality, consider temporary replacement with alternative WordPress notification plugins that have recent security audits.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18544