Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.1.
Published: 2025-05-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cozy Vision SMS Alert Order Notifications plugin contains an SQL injection flaw that allows an attacker to append malicious SQL code to user‑controlled input. When exploited, the database engine will execute the injected statements, resulting in the attacker gaining read, write or delete access to order and customer data. The vulnerability could expose payment details, compromise customer confidentiality, or allow an attacker to alter transactional records for financial gain.

Affected Systems

WordPress sites that have the Cozy Vision SMS Alert Order Notifications plugin installed, from its first release up through version 3.8.1. All these releases are free, and the flaw exists regardless of the active theme or other installed plugins. If the plugin is active, the affected endpoints are reachable through normal web requests to the plugin’s administrative URLs.

Risk and Exploitability

The CVSS base score of 9.3 denotes a critical level of severity. However, the EPSS score is below 1 %, indicating that current exploitation levels are low. The vulnerability is not listed in the CISA KEV catalog, so there is no known public exploitation at this time. The attack vector is inferred to be remote, accessed via a web request to the plugin’s backend, and the exploit appears to require no authenticated user context. Given the high severity score and the straightforward nature of the injection when the plugin is exposed, a high-priority remediation effort is warranted.

Generated by OpenCVE AI on April 30, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cozy Vision SMS Alert Order Notifications plugin to the latest released version (>= 3.8.2) or remove it entirely if the functionality is no longer needed.
  • Close or restrict HTTP access to the plugin’s administrative URLs with a firewall or .htaccess rules to block unauthenticated requests.
  • Apply general WordPress hardening practices: keep core, themes and other plugins updated, enforce least‑privilege database accounts, and validate or escape all user input before use in SQL queries.

Generated by OpenCVE AI on April 30, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14278 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision Technologies Pvt. Ltd. SMS Alert Order Notifications – WooCommerce allows SQL Injection.This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.8.2.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision Technologies Pvt. Ltd. SMS Alert Order Notifications – WooCommerce allows SQL Injection.This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.8.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.1.
Title WordPress SMS Alert Order Notifications – WooCommerce <= 3.8.2 - SQL Injection Vulnerability WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.8.1 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 09 Jul 2025 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Cozyvision
Cozyvision sms Alert Order Notifications
CPEs cpe:2.3:a:cozyvision:sms_alert_order_notifications:*:*:*:*:free:wordpress:*:*
Vendors & Products Cozyvision
Cozyvision sms Alert Order Notifications

Mon, 12 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision Technologies Pvt. Ltd. SMS Alert Order Notifications – WooCommerce allows SQL Injection.This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.8.2.
Title WordPress SMS Alert Order Notifications – WooCommerce <= 3.8.2 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Cozyvision Sms Alert Order Notifications
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.520Z

Reserved: 2025-05-07T10:45:37.287Z

Link: CVE-2025-47682

cve-icon Vulnrichment

Updated: 2025-05-12T18:31:02.384Z

cve-icon NVD

Status : Modified

Published: 2025-05-12T19:15:51.420

Modified: 2026-04-29T10:16:48.010

Link: CVE-2025-47682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses