The WordPress WPGuppy plugin contains a classic SQL injection flaw that fails to properly escape user input before integrating it into an SQL query. Because of this weakness, an attacker can inject arbitrary SQL statements and execute them against the site’s database, potentially allowing data exfiltration, alteration, or deletion. The vulnerability is classified as CWE‑89, indicating a classic injection weakness that directly compromises the confidentiality, integrity, and availability of the database.

This flaw affects the WPGuppy (wpguppy‑lite) plugin released by AmentoTech Private Limited, from undefined previous versions through all releases up to and including version 1.1.3. Any WordPress site that has this plugin installed and has not upgraded beyond version 1.1.3 is potentially affected.

The CVSS score of 8.5 marks this vulnerability as high severity, and the EPSS score of less than 1 % indicates a low but non-zero likelihood of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a web request to a plugin endpoint that accepts untrusted input, meaning an unauthenticated or limited-privilege user could trigger the injection if the endpoint is publicly accessible. Successful exploitation would give the attacker direct read/write access to the underlying database.