The Easy Quotes plugin for WordPress has a blind SQL injection flaw due to improper neutralization of special elements in SQL commands. Attackers can craft input that is passed directly to the database, allowing them to extract or alter sensitive data stored by WordPress. This vulnerability can expose user credentials, site configuration, and other confidential information, potentially compromising the integrity of the entire site.

All installations of the Easy Quotes plugin for WordPress up to and including version 1.2.2 are affected. The vulnerable versions include any release from the first to the 1.2.2 release. Users running these versions on WordPress sites should treat the plugin as vulnerable.

The vulnerability carries a CVSS score of 9.3, indicating high severity. The EPSS score of less than 1% suggests a low current probability of widespread exploitation, and it is not listed in the CISA KEV catalog. However, the attack vector is likely through the web interface of the plugin, requiring only HTTP access to the site. An attacker can send specially crafted requests to the plugin’s input points and use the blind SQL injection to read or modify data by observing side effects, such as response timing or error messages. No authentication is required, making the flaw accessible to anyone who can reach the site’s front-end.