The Cozy Vision SMS Alert Order Notifications plugin contains a SQL injection vulnerability caused by insufficient escaping of special characters in database queries. An attacker can supply crafted input to the plugin’s public interface, causing the system to execute arbitrary SQL statements. This allows the attacker to read, modify, or delete data stored in the WordPress database, thereby compromising the confidentiality and integrity of the site’s information.

All installations of the Cozy Vision SMS Alert Order Notifications WordPress plugin running version 3.8.5 or earlier are affected. The vulnerability applies to every release from the earliest version through <=3.8.5; any WordPress site deploying the plugin at those versions is at risk.

The CVSS base score of 9.3 reflects a high severity impact. The EPSS score of less than 1% suggests that, as of the latest data, exploit attempts are rare and the vulnerability is not widely leveraged. The plugin is not listed in the CISA KEV catalog. Attackers would need to send maliciously crafted requests to the plugin’s public endpoints, and the vulnerability appears exploitable without requiring authentication. Based on the description, it is inferred that the attack vector is remote via web requests to the plugin’s interface.