An improperly sanitized HTTP request parameter allows an attacker to inject arbitrary SQL commands into the database engine. The affected code accepts input from external sources and places it directly into a query without escaping, resulting in a classic SQL injection flaw that can expose, modify, or delete sensitive data. With access to the database, an adversary could read confidential user information, alter site configuration, or potentially elevate privileges if the database user has administrative rights.

This vulnerability is present in the Aphotrax Uptime Robot Plugin for WordPress up to and including version 2.3. WordPress sites that have installed any released build of this plugin fall within the risk scope.

The CVSS score of 8.5 indicates a high severity flaw. The EPSS score of less than 1% suggests that widespread exploitation has not yet been observed, but the vulnerability is still actionable. Since the flaw is not listed in the CISA KEV catalog, it may not be actively leveraged by threat actors at the time of analysis. An attacker would need to deliver a crafted request, likely over HTTP or HTTPS, to the plugin endpoint that constructs the vulnerable SQL statement. The CVE description does not specify whether authentication or privilege escalation is required to exploit this vulnerability.