Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
AnalysisAI
CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.
Technical ContextAI
The vulnerability exists in the PersianScript Persian Woocommerce SMS plugin (CPE: cpe:2.3:a:persianscript:persian_woocommerce_sms:*:*:*:*:*:wordpress:*:*), which is a WordPress plugin designed to integrate SMS functionality with WooCommerce e-commerce systems. The root cause is CWE-89: Improper Neutralization of Special Elements used in an SQL Command, indicating that user-supplied input is concatenated directly into SQL queries without parameterized preparation or proper escaping. This is a classic SQL injection flaw where database-special characters (quotes, semicolons, comment syntax) are not sanitized before database execution. The plugin's failure to use WordPress's built-in wpdb prepared statements ($wpdb->prepare()) or parameterized queries creates a direct path to unauthorized database access.
RemediationAI
Update to version 7.0.11 or later if available from PersianScript; details: Check the PersianScript official website or WordPress plugin repository for patched versions. No specific patch version is disclosed in the CVE description; contact vendor or monitor wordpress.org/plugins/persian-woocommerce-sms/ for updates. Workaround: Disable the Persian Woocommerce SMS plugin if not actively in use; details: Deactivate and optionally delete the plugin from WordPress admin panel if SMS functionality is not critical. Mitigation: Restrict administrative access; details: Limit the number of user accounts with administrator privileges; implement strong authentication (2FA/MFA) for all admin accounts; audit admin user list regularly and remove unnecessary accounts. Mitigation: Database access controls; details: Implement principle of least privilege: ensure the WordPress database user has minimal required permissions; consider read-only database user for non-administrative functions if possible. Monitoring: Log and monitor SQL errors and database queries; details: Enable WordPress debug logging; use database query logging or WAF rules to detect SQL injection attempts (UNION, SELECT, comment syntax in request parameters).
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17254