Improper Neutralization of Special Elements used in an SQL Command allows an attacker to inject arbitrary SQL via a vulnerable input in the WP Featured Entries plugin. This injection flaw, identified as CWE-89, enables a malicious actor to read, modify, or delete data stored in the WordPress database, potentially leading to data loss, credential theft, or other compromises of confidentiality and integrity. The vulnerability is limited to the plugin’s database interactions and does not grant system-wide privileges.

The Jahertor WP Featured Entries plugin for WordPress, specifically versions 1.0 and any earlier releases, is affected. No additional version constraints are stated, so all releases up to and including 1.0 are considered vulnerable.

The CVSS score of 8.5 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present; the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, exploiting an exposed input field within the plugin’s front‑end or administrative interface. It is inferred that authenticated administrative access may be required to exercise the injection, but the description does not explicitly state this requirement. Once exploited, an attacker can manipulate database content, which can compromise site integrity and expose sensitive data.