The reported flaw is an SQL injection vulnerability in the Salesmate.io Salesmate Add‑On for Gravity Forms. Because the plugin fails to properly escape user input before incorporating it into SQL statements, an attacker can insert arbitrary SQL code. This enables the execution of any database query, allowing data exfiltration, modification, or deletion, and potentially full control over the site database. The weakness is classified as CWE‑89, a classic injection flaw.

All installations of the Salesmate.io Salesmate Add‑On for Gravity Forms plugin up to and including version 2.0.3 are affected. The vulnerability applies to every instance of the plugin regardless of the connected WordPress theme or other plugins. The affected product is the Salesmate Add‑On for Gravity Forms supplied by Salesmate.io.

The flaw carries a CVSS score of 9.3, indicating a high‑impact remote exploitation scenario. The EPSS score is below 1 %, suggesting that while the vulnerability could be exploited, the likelihood of attacks in the wild is currently low. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw by submitting crafted input through the Gravity Forms interface that the plugin processes, which the plugin then passes directly to the database without proper sanitization. A successful attack would allow the attacker to run arbitrary SQL commands remotely, with full privileges granted by the database user that runs the plugin.