Improper neutralization of special elements used in a SQL command allows attackers to craft malicious input that is concatenated into raw SQL statements without adequate sanitization. The Bug Library plugin’s data-handling routines can accept this input, enabling a blind SQL injection attack. Successful exploitation can expose sensitive database contents, modify stored information, and potentially exfiltrate user data. Because the attack is blind, attackers rely on inference from error messages or timing, but the risk to confidentiality and integrity remains significant.

WordPress sites that have installed the Bug Library plugin from Yannick Lefebvre, versions n/a through 2.1.4, are affected. The vulnerability is confined to the plugin’s database interactions and does not impact default WordPress core or other plugins unless they invoke Bug Library functions.

The CVSS score of 8.5 classifies this issue as high severity, reflecting its potential impact on data confidentiality and integrity. The EPSS score of less than 1% indicates that exploitation attempts are currently rare, yet the flaw remains exploitable. It is not listed in the CISA KEV catalog, reducing the likelihood of widespread attacks, but a determined adversary could target vulnerable sites via the plugin’s exposed web interfaces. Likely attack paths involve sending crafted requests to the plugin’s input forms, possibly from unauthenticated users if those endpoints are publicly reachable.