The UberSlider plugin for WordPress contains an improper neutralization of special elements used in an SQL command, known as a SQL Injection flaw (CWE‑89). An attacker can supply crafted input that bypasses sanitization and is directly interpolated into database queries. If successfully exploited, this flaw can allow the attacker to read, modify, or delete arbitrary data from the database, potentially leading to site defacement, credential theft, or further compromise of the underlying server environment.

Affected systems are WordPress installations running the UberSlider plugin by LambertGroup, with all versions from the initial release up to but not including the 2.6 major release. Because the affected version range is noted as "from n/a through < 2.6", any deployment using a 2.5.x or earlier release of the plugin is vulnerable.

According to the CVSS scoring, the vulnerability has a Base Score of 8.5, indicating a high severity. The EPSS score of less than 1% suggests that, at present, the likelihood of exploitation is low, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, the attack vector is likely remote via web input, and authentication is not explicitly required; this inference is based on typical plugin behavior. Because the flaw directly injects into SQL statements, all user data can be compromised if the attacker gains sufficient privileges on the web application.