The Wp tabber widget plugin for WordPress is vulnerable to SQL injection through the wp‑tabber‑widget shortcode. Because the plugin does not properly escape the user supplied parameter and does not prepare the existing SQL query, an attacker who has logged in with a Contributor role or higher can inject additional SQL statements. The injected queries can retrieve confidential data from the database, including user credentials, content, or other sensitive information. This flaw is classified as CWE‑89 and represents a direct breach of confidentiality for the affected site.

All installations of the Wp tabber widget plugin version 4.0 and earlier on WordPress sites are affected. The only vendor listed is gopiplushotmailcom, with the product name Wp tabber widget.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an authenticated user with Contributor-level access inserts malicious code into the shortcode, which the plugin then executes as part of a broader SQL query. Successful exploitation would grant the attacker read access to any data that the database user privileges allow, posing a significant confidentiality risk. Because this requires authentication, the risk is limited to sites where Contributor accounts are not properly segmented or where role permissions are overly generous.