The vulnerability is a blind SQL injection flaw in the TicketBAI Facturas para WooCommerce plugin for WordPress due to improper neutralization of special characters in SQL statements. An attacker who can supply a crafted input to the plugin would be able to inject arbitrary SQL code, enabling blind extraction of data from the database. The description does not mention remote code execution or privilege escalation, so the impact is limited to data compromise.

WordPress sites that have the TicketBAI Facturas para WooCommerce plugin installed in any version up to and including 3.19 are affected. The flaw applies uniformly across all installations of this plugin from its earliest release through the identified maximum version, regardless of other WordPress components or configurations.

The CVSS score of 9.3 indicates a high‑severity flaw that can compromise the confidentiality of site data. The EPSS score of < 1% shows that the probability of widespread exploitation is low, but the vulnerability remains a valid target for actors seeking to obtain sensitive data from a specific site. The flaw is not listed in the CISA KEV catalog. Attackers would need access to an endpoint of the plugin that receives user input; based on the description, it is inferred that the attack vector involves supplying a malicious payload to the plugin’s input handling. A successful exploitation would allow the attacker to extract information from the database, but it requires that the plugin’s endpoint is reachable and the attacker can deliver crafted HTTP requests.