Platform
wordpress
Component
sms-alert
Fixed in
3.8.2
CVE-2025-47682 describes a SQL Injection vulnerability discovered in Cozy Vision SMS Alert Order Notifications. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the system. The vulnerability affects versions from 0.0.0 up to and including 3.8.1, and a patch is available in version 3.8.3.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication mechanisms and directly query the database. This could lead to the exfiltration of sensitive data such as customer information, order details, and potentially administrative credentials. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to significant operational disruption. The impact is particularly severe given the potential for unauthorized access to customer data, which could result in regulatory fines and reputational damage. The ability to execute arbitrary SQL commands grants a high degree of control over the affected system, making this a critical security concern.
CVE-2025-47682 was publicly disclosed on 2025-05-12. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. As of the current date, no public proof-of-concept exploits have been identified, but the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. It is recommended to prioritize remediation efforts.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47682 is to immediately upgrade Cozy Vision SMS Alert Order Notifications to version 3.8.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with SQL Injection protection rules to filter malicious requests. Additionally, review and restrict database user permissions to minimize the potential impact of a successful attack. Input validation and parameterized queries should be implemented in any custom code interacting with the database. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload through the vulnerable endpoint and verifying that it is properly sanitized.
Update the SMS Alert Order Notifications plugin to a patched version. Check the developer's website or the WordPress repository for the latest available version. As an additional security measure, consider implementing a web application firewall (WAF) to mitigate potential SQL Injection attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47682 is a critical SQL Injection vulnerability affecting Cozy Vision SMS Alert Order Notifications, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Cozy Vision SMS Alert Order Notifications versions 0.0.0 through 3.8.1. Upgrade to 3.8.3 or later to resolve the issue.
Upgrade Cozy Vision SMS Alert Order Notifications to version 3.8.3 or later. As a temporary workaround, implement a WAF with SQL Injection protection.
While no public exploits are currently known, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched.
Refer to the Cozy Vision website or plugin repository for the official advisory and release notes related to CVE-2025-47682.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.