The vulnerability is an SQL injection flaw in the N‑Media Bulk Product Sync WordPress plugin, affecting all versions up to and including 8.6. It allows an attacker to inject arbitrary SQL statements into the database, potentially exposing sensitive data, modifying records, or escalating privileges within the application. The weakness is a classic "Improper Neutralization of Special Elements used in an SQL Command" (CWE‑89).

Any WordPress installation that has the Bulk Product Sync plugin version 8.6 or earlier installed is susceptible. The affected vendor is N‑Media, and the product is Bulk Product Sync. No specific database or operating system requirements are listed beyond the WordPress environment.

The CVSS score of 9.3 indicates a high severity, and the EPSS score of less than 1% suggests that, while the vulnerability is serious, it is not widely exploited at present. The plugin does not appear in CISA’s KEV catalog. The attack vector is inferred to be remote via the WordPress web interface; an attacker could exploit the flaw by sending a specially crafted request to a page that passes user input directly to the database. No additional conditions such as privileged access or authentication are mentioned in the description, so the vulnerability could be leveraged by unauthenticated or low‑privilege users if they can access the relevant plugin endpoint.