Alpha BPO Easy Code Snippets plugin version 1.0.2 or earlier contains an improper neutralization of special elements used in an SQL command, which allows an attacker to inject arbitrary SQL statements. This flaw can enable reading, modification, or deletion of database contents, potentially exposing sensitive user data or compromising site integrity. The vulnerability is identified as CWE-89 and classified as a SQL injection issue.

All installations of the Easy Code Snippets plugin distributed by Alpha BPO, from the initial release through version 1.0.2. WordPress sites that have this plugin installed may be vulnerable whenever the plugin’s input fields or administrative endpoints can be accessed. No other vendor or product is listed, so the impact is confined to environments running this plugin.

The CVSS base score of 7.6 indicates high severity, but the EPSS score of less than 1% shows a very low probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of active exploitation. The attack is likely carried out remotely against the plugin’s administration interfaces, and could require that the attacker has some level of authenticated site access, although additional research would be needed to confirm that requirement.