The vulnerability in the Shuffle plugin arises from improper neutralization of special elements used in SQL commands, enabling blind SQL injection. An attacker who can influence the plugin’s input can construct SQL queries that the database executes, allowing the attacker to read, modify, or delete data stored in the WordPress database. This vulnerability can compromise confidentiality and integrity of site data, potentially exposing sensitive information or corrupting the database. The likely attack vector is blind SQL injection via plugin inputs.

This flaw affects the Shuffle plugin developed by Scott Taylor. All installations of Shuffle up to and including version 0.5 are impacted. Sites that have never installed a later version after 0.5 are at risk.

The CVSS score of 8.5 reflects a high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at the moment, although no data confirm exploitation. The vulnerability is not listed in the CISA KEV catalog. The plugin’s lack of input sanitization means that an attacker can craft HTTP requests to the plugin’s endpoints, but the blind nature of the injection requires multiple round‑trips to infer data. Successful exploitation would give the attacker read/write access to the WordPress database, potentially leading to data theft or site compromise.