CVE-2025-26988

The SMS Alert Order Notifications plugin for WordPress suffers from a critical SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw affects versions up to and including 3.7.8, allowing attackers to inject malicious SQL queries.[1]

Exploitation does not require authentication, as the vulnerable parameter is accessible to unauthenticated users. Attackers can send crafted requests to the plugin's endpoints, injecting SQL commands that interact with the underlying database. No special network position is needed; any remote attacker can exploit this vulnerability over HTTP.[1]

Successful exploitation can lead to unauthorized access to sensitive data, including user information and credentials. The attacker may also modify or delete database contents, potentially compromising the entire WordPress installation. The CVSS score of 9.3 reflects the severe impact and ease of exploitation.[1]

To mitigate this vulnerability, users must update the plugin to version 3.7.9 or later. Patches have been released, and a mitigation rule is available from Patchstack. As this vulnerability is expected to be exploited in mass campaigns, immediate action is recommended.[1]