CVE-2025-49315

| EUVD-2025-17254 HIGH
2025-06-06 [email protected]
7.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17254
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.6

Tags

SQLi Woocommerce PHP

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.

Analysis

CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.

Technical Context

The vulnerability exists in the PersianScript Persian Woocommerce SMS plugin (CPE: cpe:2.3:a:persianscript:persian_woocommerce_sms:*:*:*:*:*:wordpress:*:*), which is a WordPress plugin designed to integrate SMS functionality with WooCommerce e-commerce systems. The root cause is CWE-89: Improper Neutralization of Special Elements used in an SQL Command, indicating that user-supplied input is concatenated directly into SQL queries without parameterized preparation or proper escaping. This is a classic SQL injection flaw where database-special characters (quotes, semicolons, comment syntax) are not sanitized before database execution. The plugin's failure to use WordPress's built-in wpdb prepared statements ($wpdb->prepare()) or parameterized queries creates a direct path to unauthorized database access.

Affected Products

Persian Woocommerce SMS (7.0.10 and earlier (no lower bound specified)

Remediation

Update to version 7.0.11 or later if available from PersianScript; details: Check the PersianScript official website or WordPress plugin repository for patched versions. No specific patch version is disclosed in the CVE description; contact vendor or monitor wordpress.org/plugins/persian-woocommerce-sms/ for updates. Workaround: Disable the Persian Woocommerce SMS plugin if not actively in use; details: Deactivate and optionally delete the plugin from WordPress admin panel if SMS functionality is not critical. Mitigation: Restrict administrative access; details: Limit the number of user accounts with administrator privileges; implement strong authentication (2FA/MFA) for all admin accounts; audit admin user list regularly and remove unnecessary accounts. Mitigation: Database access controls; details: Implement principle of least privilege: ensure the WordPress database user has minimal required permissions; consider read-only database user for non-administrative functions if possible. Monitoring: Log and monitor SQL errors and database queries; details: Enable WordPress debug logging; use database query logging or WAF rules to detect SQL injection attempts (UNION, SELECT, comment syntax in request parameters).

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-49315 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy