SMS Alert Order Notifications CVE-2025-49915
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.5.
AnalysisAI
SQL injection in WordPress SMS Alert Order Notifications plugin through version 3.8.5 allows remote unauthenticated attackers to extract sensitive database contents via network-accessible injection points. The vulnerability achieves scope change with high confidentiality impact, enabling cross-boundary data exfiltration from the WordPress database. EPSS data unavailable; not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis, though the unauthenticated remote attack vector presents significant risk for WordPress installations using this plugin.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin developed by Cozy Vision. The plugin handles SMS notifications for WooCommerce order events and likely processes user-supplied input (order parameters, notification settings, or API callbacks) without proper parameterization or input sanitization. The CVSS scope change metric (S:C) indicates the vulnerability crosses trust boundaries, meaning an attacker can leverage SQL injection in the plugin context to access data beyond the plugin's intended scope-potentially the entire WordPress database including user credentials, order data, customer information, and other plugin tables. WordPress plugins typically share database access credentials with the core WordPress installation, making scope escalation inherent to successful SQL injection. The vulnerability was discovered and reported by Patchstack's security audit team, suggesting it was identified through automated vulnerability scanning or manual code review of the plugin's database query construction.
Affected ProductsAI
WordPress SMS Alert Order Notifications plugin by Cozy Vision, all versions from initial release through version 3.8.5 inclusive. The vulnerability affects WordPress installations where this plugin is active, typically WooCommerce-powered e-commerce sites using SMS notification functionality for order updates. CPE data not provided in intelligence sources. Vendor-specific advisory and affected version confirmation available through Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-5-sql-injection-vulnerability.
RemediationAI
Immediately upgrade SMS Alert Order Notifications plugin to version 3.8.6 or later if available from the WordPress plugin repository or vendor. Verify patched version through the Patchstack advisory reference at https://patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-5-sql-injection-vulnerability. If no patched version is released, disable and deactivate the SMS Alert plugin until vendor provides a secure update-trade-off is loss of SMS notification functionality, but this is acceptable compared to database compromise risk. Compensating controls if plugin must remain active: implement web application firewall (WAF) rules to block SQL injection patterns in requests to WordPress admin-ajax.php and plugin-specific endpoints (reduces attack surface but not foolproof against sophisticated payloads); restrict wp-admin access to trusted IP addresses via .htaccess or server configuration (limits exposure but doesn't prevent exploitation through public-facing plugin endpoints); enable WordPress database query logging to detect exploitation attempts (provides visibility but doesn't prevent attacks). Review WordPress database access logs and application logs for suspicious query patterns (UNION SELECT, information_schema references, timing-based delays) dating back to plugin installation to identify potential prior compromise.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today