プラットフォーム
wordpress
コンポーネント
sms-alert
修正版
3.8.6
CVE-2025-49915 describes a SQL Injection vulnerability discovered in Cozy Vision SMS Alert Order Notifications. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the system. The vulnerability affects versions from 0.0.0 up to and including 3.8.5. A patch is available in version 3.8.6.
Successful exploitation of this SQL Injection vulnerability allows an attacker to manipulate database queries, potentially extracting sensitive information such as user credentials, order details, and other confidential data stored within the Cozy Vision SMS Alert Order Notifications database. An attacker could also modify data, leading to data corruption or denial of service. The blast radius extends to any system relying on the SMS Alert Order Notifications plugin, as the vulnerability can be triggered remotely through crafted HTTP requests. While no specific real-world exploitation has been publicly reported, the severity of SQL Injection vulnerabilities generally warrants immediate attention due to their potential for significant impact.
CVE-2025-49915 has been published on 2025-10-22. Its severity is classified as CRITICAL with a CVSS score of 9.3. No public proof-of-concept exploits are currently known, but the ease of SQL Injection exploitation suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Cozy Vision SMS Alert Order Notifications plugin, particularly those with default configurations or limited security measures, are at significant risk. Shared hosting environments where multiple websites share the same database are also at increased risk, as a successful exploit on one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/sms-alert-order-notifications/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/sms-alert-order-notifications/?param='; # Check for SQL error messages in response headersdisclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-49915 is to immediately upgrade Cozy Vision SMS Alert Order Notifications to version 3.8.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL injection attempts. Input validation and sanitization on the WordPress side, if possible, can provide an additional layer of defense. Regularly review database access logs for suspicious activity. After upgrading, confirm the fix by attempting a SQL injection payload through the vulnerable endpoint and verifying that it is properly sanitized.
Actualice el plugin SMS Alert Order Notifications a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-49915 is a critical SQL Injection vulnerability affecting Cozy Vision SMS Alert Order Notifications versions 0.0.0 through 3.8.5, allowing attackers to manipulate database queries.
If you are using Cozy Vision SMS Alert Order Notifications version 3.8.5 or earlier, you are vulnerable to this SQL Injection flaw.
Upgrade Cozy Vision SMS Alert Order Notifications to version 3.8.6 or later to remediate the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been publicly confirmed, the severity of SQL Injection vulnerabilities suggests a potential for rapid exploitation.
Refer to the official Cozy Vision website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。