The likely attack vector is through a crafted HTTP request to a backend endpoint in the PopupKit plugin. Based on the description, an attacker can inject arbitrary SQL commands into a vulnerable query, allowing blind SQL injection. This flaw enables the attacker to read, modify, or delete data stored in the WordPress database; it can affect configuration, content, user accounts, and thereby compromise confidentiality and integrity. The vulnerability is classified as CWE‑89.

WordPress sites that have installed the PopupKit plugin from Roxnor, specifically any release up to and including version 2.1.5. Based on the plugin’s integration as part of a WordPress theme or page builder, any such installation is potentially affected. The plugin is deployed as part of a WordPress theme or page builder and interacts with the WordPress database via custom SQL queries.

The CVSS score of 8.5 indicates severe impact. The likely attack path requires an attacker to send crafted requests to a vulnerable endpoint exposed over the web; this is inferred from the description that the plugin "allows Blind SQL Injection." The EPSS score is less than 1 %, suggesting low expected exploitation probability, and it is not listed in KEV, implying no known active exploitation. However, the flaw remains straightforward for an attacker with network access to the site, and could lead to confidentiality and integrity compromises.