This vulnerability is a classic SQL Injection flaw (CWE‑89) that allows an attacker to inject arbitrary SQL commands into the WP Airbnb Review Slider plugin’s database queries. The vulnerability manifests as a blind injection, meaning the attacker can infer database contents or infer the success of operations through indirect means such as timing or response differences, potentially exposing sensitive information or allowing modifications to stored data.

The vulnerability affects the WP Airbnb Review Slider plugin developed by jgwhite33, which is deployed on WordPress installations. Any installation running version 3.9 or earlier of the plugin is at risk, regardless of other WordPress plugins or themes in use. No other vendors or products are listed as impacted.

The CVSS score of 7.6 indicates a moderate to high severity vulnerability, while the EPSS score of <1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly documented exploits are currently known. Based on the description, the likely attack vector is remote, requiring the attacker to send specially crafted requests to the plugin’s input endpoints, which can be performed by any user who can access the vulnerable WordPress site. No authentication or privileged access is explicitly required, so the attack is feasible from a standard web visitor. The impact is primarily data confidentiality and integrity risks associated with unauthorized data retrieval or modification.