The vulnerability arises from improper input neutralization in the Smart Notification plugin, allowing an attacker to insert crafted SQL that is executed by the database. Because the injection is blind, the attacker does not receive query results directly but can infer data with repeated requests. Successful exploitation would enable data exfiltration of sensitive information such as user accounts, content, and configuration settings. The weakness corresponds to CWE-89, a classic injection flaw that undermines data confidentiality.

The issue affects all installations of Smart Notification version 10.3 and earlier from the vendor smartiolabs. No specific build numbers are listed beyond the upper bound of 10.3, so any site running those or older releases is vulnerable.

A CVSS score of 9.3 marks the flaw as critical, indicating the potential for significant impact if exploited successfully. The EPSS score of less than 1% suggests that while exploitation is unlikely, it is possible enough that continuous vigilance is warranted. The vulnerability is not currently listed in CISA’s KEV catalog, so there is no confirmed widespread exploitation but the high severity warrants action. The likely attack vector is remote interaction with the plugin’s entry points, inferred from the fact that the plugin accepts external input that is incorporated into SQL queries. Exploitation would require access to the site’s network or remote interaction with the plugin’s entry points, but no authentication is required beyond the normal user permissions to exercise the plugin’s functionality.