This vulnerability is an improper neutralization of special elements used in an SQL command, allowing attackers to perform blind SQL injection against the WordPress Mediabay - WordPress Media Library Folders plugin. When successfully exploited, an attacker can read, modify, or delete database contents through carefully crafted queries, potentially undermining confidentiality, integrity, and availability. The weakness is categorized as CWE‑89, a classic input validation flaw that undermines database access controls.

Any WordPress site that has installed the Mediabay – WordPress Media Library Folders plugin, from the earliest released version through 1.4. The vulnerability is present in all plugin versions up to and including 1.4; later releases are not affected according to the vendor’s affected-version details.

The CVSS score of 8.5 indicates high severity. The EPSS score of less than 1% suggests a low current probability of exploitation, and the issue is not listed in the CISA KEV catalog, reducing near-term public threat concerns. However, because the vulnerability allows blind data extraction through the web interface, any site that exposes the plugin’s input fields to authenticated or unauthenticated users could be exploited when the attacker has network connectivity to the application. The attack vector is inferred to be via web requests to the plugin’s endpoints, without needing additional system access.