Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.
Published: 2025-03-03
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits an attacker to inject arbitrary SQL statements through Cozy Vision’s SMS Alert Order Notifications plugin, exploiting insufficient input validation. This vulnerability (CWE‑89) can expose, modify, or delete confidential order data, potentially compromising the integrity and confidentiality of the e‑commerce platform and allowing an attacker to gain full control of the underlying database.

Affected Systems

The insecure plugin version is distributed from the initial release through 3.7.8 for WordPress WooCommerce sites. Any installation of SMS Alert Order Notifications that has not been upgraded beyond 3.7.8 is vulnerable.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is considered critical, yet the EPSS score is below 1 % and it is not listed in the CISA KEV catalog, indicating limited current exploitation. The likely attack vector involves remote HTTP interactions with the plugin’s WooCommerce order‑notification endpoints, potentially without authentication; however, the exact prerequisite conditions are not detailed in the advisory.

Generated by OpenCVE AI on May 1, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SMS Alert Order Notifications to the latest released version.
  • If an immediate upgrade is not possible, disable the plugin to eliminate the attack surface.
  • Apply least‑privilege permissions to the database user and, if feasible, deploy a web application firewall rule that blocks common SQL injection payloads.

Generated by OpenCVE AI on May 1, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5609 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
CPEs cpe:2.3:a:cozyvision:sms_alert_order_notifications:*:*:*:*:*:wordpress:*:*
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
Title WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.7.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Cozyvision Sms Alert Order Notifications
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.171Z

Reserved: 2025-02-17T11:51:57.195Z

Link: CVE-2025-26988

cve-icon Vulnrichment

Updated: 2025-03-03T14:42:03.443Z

cve-icon NVD

Status : Modified

Published: 2025-03-03T14:15:57.370

Modified: 2026-04-23T15:26:11.863

Link: CVE-2025-26988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses