Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows SQL Injection.This issue affects Persian Woocommerce SMS: from n/a through <= 7.0.10.
Published: 2025-06-06
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises when the PersianWoocommerceSMS plugin fails to properly neutralize special characters in SQL commands, allowing an attacker to inject malicious SQL. The injected statements can read, modify, or delete database contents, resulting in loss of confidential data, corruption of order records, or unauthorized account changes. The weakness corresponds to CWE‑89 and carries a CVSS score of 7.6, indicating a high‑severity flaw.

Affected Systems

The issue affects versions of the PersianWoocommerceSMS plugin through 7.0.10, distributed by PersianScript. Any WordPress site that has installed this plugin, especially those that have not applied the 7.0.11 update to date, is susceptible.

Risk and Exploitability

The EPSS score indicates that exploitation probability is below 1 % and the flaw is not listed in CISA’s KEV catalog, suggesting limited known use in the wild. However, the high CVSS value and the generic nature of SQL injection mean that a malicious actor could likely exploit the flaw if the site is publicly reachable and the plugin is enabled. The attack vector is inferred to be remote via crafted HTTP requests to the plugin’s endpoints, requiring no authentication.

Generated by OpenCVE AI on April 30, 2026 at 11:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PersianWoocommerceSMS to version 7.0.11 or later, which removes the SQL injection point.
  • If an update is unavailable, disable the plugin or delete it from the WordPress installation to prevent further exploitation.
  • Apply input validation or parameterized queries on any custom plugin code that interacts with the database.

Generated by OpenCVE AI on April 30, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17254 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows SQL Injection.This issue affects Persian Woocommerce SMS: from n/a through <= 7.0.10.
Title WordPress Persian Woocommerce SMS <= 7.0.10 - SQL Injection Vulnerability WordPress Persian Woocommerce SMS plugin <= 7.0.10 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Fri, 06 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
Title WordPress Persian Woocommerce SMS <= 7.0.10 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.796Z

Reserved: 2025-06-04T09:42:07.048Z

Link: CVE-2025-49315

cve-icon Vulnrichment

Updated: 2025-06-06T18:59:01.514Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:47.523

Modified: 2026-04-23T15:31:27.027

Link: CVE-2025-49315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:00:12Z

Weaknesses