Login Sign Up

CVE-2025-26988

9.3 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the SMS Alert Order Notifications WooCommerce plugin allows attackers to execute arbitrary SQL commands on the database. It affects WordPress sites using this plugin, potentially compromising customer data, order information, and site integrity. All users of versions up to 3.7.8 are vulnerable.

💻 Affected Systems

Products:
  • SMS Alert Order Notifications – WooCommerce WordPress plugin
Versions: n/a through 3.7.8
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with WooCommerce and the SMS Alert plugin installed and activated.

📦 What is this software?

Sms Alert Order Notifications by Cozyvision

View all CVEs affecting Sms Alert Order Notifications →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including customer PII, payment details, administrative credentials, and potential site takeover through privilege escalation.

🟠

Likely Case

Data exfiltration of customer information, order details, and potential modification of site content or settings.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited with automated tools. The CVSS score of 9.3 suggests high exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.9 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'SMS Alert Order Notifications – WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.7.9+ from WordPress.org and replace the plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the SMS Alert plugin until patched

wp plugin deactivate sms-alert

Web Application Firewall rule

all

Add SQL injection detection rule to WAF

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in custom code
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get sms-alert --field=version

Verify Fix Applied:

Confirm plugin version is 3.7.9 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts from single IP
  • Unexpected database errors in WordPress logs

Network Indicators:

  • SQL syntax in HTTP parameters
  • Unusual database connection patterns
  • Data exfiltration traffic

SIEM Query:

source="wordpress.log" AND "SQL syntax" OR source="mysql.log" AND "SELECT.*FROM.*wp_" AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2025-26988
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CWE: CWE-89
EPSS Score: 0.12% exploit probability (30.4th percentile)
Published: March 3, 2025
Last Updated: March 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26988, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)