The CVE identifies an improper neutralization of special elements used in an SQL command within the sudipto Link to URL / Post WordPress plugin, enabling blind SQL injection. The plugin accepts URLs submitted by users, and an attacker can craft input that is concatenated directly into database queries, allowing extraction, modification, or deletion of sensitive data. The vulnerability description does not explicitly state whether authentication is required; based on the nature of the plugin’s interface it is inferred that an unauthenticated user who can interact with the link submission feature may be able to trigger the injection, but this is not confirmed by the CVE data.

The flaw affects the sudipto Link to URL / Post WordPress plugin for versions up to and including 1.3. Any WordPress site that has the plugin installed at these versions is potentially vulnerable.

The CVSS score of 7.6 classifies the issue as high severity, while an EPSS score of less than 1% indicates a low current chance of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Although the data does not specify an authentication requirement, the plugin’s public URL submission interface suggests that an unauthenticated user might be able to trigger the attack, making the vulnerability broadly exploitable. An attacker could execute arbitrary SQL statements against the site’s database, potentially compromising confidentiality and integrity of stored information.