The vulnerability is an SQL Injection flaw caused by improper neutralization of special elements in an SQL command within the SuitePlugins Video & Photo Gallery for Ultimate Member plugin. Exploitation could allow an attacker to execute arbitrary SQL statements, potentially reading confidential data, modifying records, or inserting malicious content into the database. The damage extends to data integrity, confidentiality, and could indirectly facilitate further privilege escalation if the database holds authentication or configuration information.

Any WordPress site that has installed SuitePlugins Video & Photo Gallery for Ultimate Member plugin version 1.1.3 or earlier. The affected component is the plugin, which integrates with the standard WordPress installation and executes SQL queries based on user input to display galleries.

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. Since the vulnerability is not listed in the CISA KEV catalog, there is no evidence of widespread active exploitation. The likely attack vector is through the web interface of the vulnerable plugin, where untrusted user-supplied data is sent to the database without proper sanitization. An attacker would need to supply crafted input via the plugin’s endpoints and has no prerequisite requirement beyond access to the site’s public URL.