The flaw is a Cross‑Site Request Forgery that allows an attacker to inject arbitrary SQL statements into the WordPress database. When a forged request is sent to the plugin’s endpoints, the user input is directly used in a database query without proper sanitization, which can expose, modify, or delete data stored by the site. The vulnerability can compromise sensitive information, corrupt backups, and undermine the integrity of the site’s database.

The Eli EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress, versions 5.25.08 and all earlier releases, is affected. Only installations running a vulnerable version are at risk.

The CVSS score of 8.2 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the wild. The CVE is not listed in the CISA KEV catalog, implying no publicly known exploits have been detected yet. The attack vector relies on a forged request that a user with access to the plugin’s functionality could trigger, and the flaw does not require additional privileges beyond those needed to use the plugin. The risk is therefore elevated by the potential impact on database integrity, but the low EPSS indicates that active exploitation is currently unlikely. Monitoring for new exploit code and rapid patching remain recommended.