The vulnerability is a classic blind SQL injection flaw caused by improper neutralization of special elements used in an SQL command. Attackers can embed malicious SQL fragments that are not sanitized, allowing the construction of arbitrary queries that run against the database. The consequence is unauthorized retrieval of data, which could expose credentials, personal user information, or other sensitive data stored in the WordPress site's database. In worst–case scenarios, if the database user has elevated privileges, an attacker might gain further control over the application.

The affected product is the WordPress plugin wpdistillery Navigation Tree Elementor, version 1.0.1 or earlier. The issue lies within the navigation tree feature of the Elementor framework, and users running any of these versions on WordPress sites are susceptible.

With a CVSS score of 8.5 the flaw is classified as high severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw is a blind SQL injection, which can be exploited remotely via vulnerable plugin input or URL parameters; the likely attack vector is an unauthenticated attacker sending crafted requests to the plugin’s endpoints.