The vulnerability is an SQL Injection flaw caused by improper neutralization of special elements in SQL commands within the WpIndeed Ultimate Learning Pro plugin. When an attacker supplies crafted input that bypasses input validation, the plugin can execute arbitrary SQL against the database. This allows the attacker to read sensitive data, modify or delete records, and potentially take full control of the database if sufficient privileges are granted. The weakness is classified as CWE-89.

The flaw affects the WpIndeed Ultimate Learning Pro WordPress plugin versions from the first release (n/a) through 3.9. Any WordPress site using any of those plugin versions is vulnerable. Users of newer releases (4.0 and above) are not affected based on the information supplied.

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1% suggests that, despite the high severity, the likelihood of exploitation observed or predicted at this time is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker submitting malicious requests to the plugin’s input endpoints, which could be performed from the public internet without authentication. If successful, the attacker could exfiltrate confidential data or tamper with course content, disrupting the learning platform’s integrity and availability.