Platform
wordpress
Component
smio-push-notification
Opgelost in
10.3.1
CVE-2025-39479 describes a Blind SQL Injection vulnerability within the smartiolabs Smart Notification plugin. This flaw allows attackers to potentially extract sensitive data from the database without directly observing the results of the injection. The vulnerability impacts versions of Smart Notification from n/a up to and including 10.3. A patch is available in version 10.3.1.
The SQL Injection vulnerability in Smart Notification poses a significant risk to WordPress sites utilizing the plugin. An attacker could leverage this flaw to bypass authentication mechanisms, gain unauthorized access to the database, and exfiltrate sensitive information such as user credentials, customer data, or internal configuration details. The 'Blind' nature of the injection means the attacker needs to perform multiple queries to infer the data, but the potential impact remains severe. Successful exploitation could lead to complete compromise of the WordPress site and associated data.
CVE-2025-39479 was publicly disclosed on 2025-06-17. As of this date, no public proof-of-concept (POC) code has been released. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if the vulnerability is exposed. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
WordPress sites utilizing the smartiolabs Smart Notification plugin, particularly those running older, unpatched versions (n/a through 10.3), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "smartiolabs Smart Notification" /var/www/html/wp-content/plugins/
wp plugin list | grep "smartiolabs Smart Notification"• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=smart-notification-settings # Check for unusual parametersdisclosure
Exploit Status
EPSS
0.06% (18% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-39479 is to immediately upgrade Smart Notification to version 10.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider temporarily disabling the Smart Notification plugin to reduce the attack surface. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Regularly review database access logs for suspicious activity.
Actualice el plugin Smart Notification a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Consulte la documentación del plugin o el sitio web del desarrollador para obtener instrucciones de actualización específicas.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-39479 is a critical SQL Injection vulnerability affecting smartiolabs Smart Notification versions from n/a to 10.3, allowing attackers to extract data via Blind SQL Injection.
If you are using Smart Notification versions n/a through 10.3 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade Smart Notification to version 10.3.1 or later to remediate the SQL Injection vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
As of the public disclosure date, no active exploitation has been confirmed, but the CRITICAL severity warrants immediate attention and mitigation.
Refer to the smartiolabs website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-39479.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.