CVE-2025-26988
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26988 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Cozy Vision SMS Alert Order Notifications WordPress plugin (sms-alert). This issue impacts all versions from n/a through 3.7.8, specifically within the WooCommerce integration for SMS order notifications.
The vulnerability enables exploitation by unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N) over the network with low attack complexity and no user interaction required. Exploitation leads to a scoped impact (S:C) with high confidentiality consequences (C:H), such as unauthorized data extraction from the database, alongside low availability disruption (A:L), resulting in a CVSS v3.1 base score of 9.3.
The Patchstack advisory provides details on the vulnerability and mitigation, available at https://patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) and direct unauthorized database data extraction (T1213.006).