The vulnerability is a SQL Injection flaw in the shinetheme Traveler theme. It allows attackers to embed malicious SQL in requests that are passed unsanitized to the database, leading to arbitrary SQL execution. The weakness is identified as CWE-89. Because the malicious input can alter database queries, an attacker could potentially read sensitive data, modify records, or even delete entries, potentially compromising site integrity and confidentiality.

WordPress sites that use the shinetheme Traveler theme version earlier than 3.2.1. The affected product is the Traveler WordPress theme, which is included in many WordPress installations. Versions below 3.2.1 contain the flaw; versions 3.2.1 and newer are not affected.

This flaw carries a CVSS score of 9.3, indicating a high severity and full remote availability. The EPSS score is under 1%, suggesting a low current exploitation probability, and it is not listed in the CISA KEV catalog. However, the vulnerability is reachable through the public web interface of a WordPress site, meaning an attacker only needs to send a crafted request to the theme’s entry points. Because the exploitation requires only normal user‑level access to the site, the attack vector is likely remote and low effort.