Improper Neutralization of Special Elements used in an SQL Command (CWE‑89) has been identified in Oliver Fuhrmann’s WordPress Local SEO plugin. The flaw permits blind SQL injection by an attacker who can submit crafted input that is eventually concatenated into a database query without adequate escaping or parameter binding. Although the exploitation passes without explicit errors, successful injection can retrieve sensitive information from the database, compromising confidentiality and potentially enabling further attacks.

Affecting all WordPress sites that have the Local SEO plugin version 2.3 or earlier, including the plugin from its initial release through version 2.3. Any such installation is at risk.

With a CVSS score of 9.3 the vulnerability is considered critical. The EPSS score is under 1%, indicating that exploitation in the wild is currently low, though targeted attacks on high‑value sites remain possible. The vulnerability is not listed in the CISA KEV catalog at this time. Based on the plugin’s design, the attack vector is inferred to be a web‑based request—likely an admin‑side endpoint that accepts user input—requiring either administrative access or the ability to supply input externally. Thus an adversary capable of injecting input may expose database contents or manipulate data.