The vulnerability is an instance of improper neutralization of special elements used in an SQL command, known as SQL Injection. This flaw allows an attacker to inject arbitrary SQL statements into the query that the Marcel‑NL Super Simple Subscriptions plugin builds, potentially reading, modifying, or deleting sensitive information stored in the WordPress database. The weakness corresponds to CWE‑89 and carries a CVSS score of 7.6, indicating a high‑severity flaw.

The issue affects the Marcel‑NL Super Simple Subscriptions WordPress plugin for all releases up to and including version 1.1.0. Users running the plugin as part of a WordPress site are potentially impacted if the plugin's environments are publicly exposed.

The EPSS score of less than 1% suggests that, as of the latest data, exploitation attempts are expected to be rare, and the vulnerability is not listed in the CISA KEV catalog. However, the high CVSS score and the nature of SQL injection imply that an attacker who can supply crafted input to the plugin’s subscription handling endpoints could gain unauthorized database access. Likely attack vector is via the plugin’s web interfaces, possibly requiring authenticated admin access; this inference is drawn from typical plugin architectures but is not explicitly stated in the input.