CVE Catalog

CVE-2025-26988

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile - higher than 38% of all known CVEs

Summary

The SMS Alert Order Notifications plugin for WordPress (versions up to and including 3.7.8) contains an SQL injection vulnerability. The flaw results from improper neutralization of special elements in SQL commands, allowing an attacker to perform unauthorized database operations.

Risk Assessment

An attacker can exploit this vulnerability to read, modify, or delete database data, potentially leading to data confidentiality and integrity breaches and system takeover.

Recommendation

Immediately update the SMS Alert Order Notifications plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily disable the plugin.

Original NVD description (English source)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS