The vulnerability in the Niket Joshi WPDB to Sql WordPress plugin allows the attacker to insert sensitive information into outgoing data streams, resulting in the exposure of confidential data stored within the database. According to the official description, a flaw in the plugin’s handling of query responses permits embedded sensitive data to be retrieved by unauthorized parties. This weakness categorizes as CWE‑201, where sensitive information can be disclosed by the application.

Affected systems include installations of the WPDB to Sql plugin by Niket Joshi, specifically versions from the earliest available build up to and including 1.2. Any WordPress site that has not updated beyond version 1.2 of this plugin remains vulnerable.

The CVSS base score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests that exploit attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the web application interface, where an attacker could craft requests that trigger the plugin’s response mechanism, thereby gaining access to embedded sensitive data. Additional prerequisites include that the plugin is active and that the site allows normal user interactions to be processed by the plugin’s codepath.