The Small Package Quotes – Unishippers Edition plugin contains an improper neutralization of special elements used in an SQL command, identified as a classic SQL Injection flaw (CWE‑89). The flaw permits an attacker to inject arbitrary SQL statements into the database query, which can result in unauthorized data modification, deletion, or exfiltration. The description does not indicate direct code execution, so the impact is confined to database integrity and confidentiality unless the database account has elevated privileges that could be abused after injection.

WordPress sites that have installed the enituretechnology Small Package Quotes – Unishippers Edition plugin and run any version up to and including 2.4.8 are affected. Versions newer than 2.4.8 are not impacted.

The CVSS score of 9.3 indicates a critical severity, and the EPSS score of less than 1% suggests that exploitation currently appears rare. The flaw is not listed in the CISA KEV catalog. Likely, an attacker can exploit the vulnerability via a web request to the vulnerable plugin endpoint without requiring authentication, making it accessible to unauthenticated or low‑privileged users. Proof‑of‑concept exploits are reachable with standard SQL injection techniques, and a successful injection could allow an attacker to compromise database contents or, if the database user role is powerful, gain broader control over the site.