This flaw is an improper neutralization of special elements in an SQL command (CWE‑89), resulting in a blind SQL injection vulnerability in the Eleopard Behance Portfolio Manager WordPress plugin. The attacker can craft malicious input that is embedded in a database query without proper escaping, permitting unauthorized read or alteration of the underlying database. Because the vulnerability is blind, the attacker can infer data existence or table structure by observing timing or error responses, which can then lead to credential compromise, data exfiltration, or full database takeover.

The vulnerable component is the Behance Portfolio Manager plugin from Eleopard for WordPress, affecting all releases up through version 1.7.5. Users running WordPress installations with this plugin version have an exposed entry point that can be exploited remotely.

The CVSS score of 7.6 indicates a fairly high severity, but the EPSS score of less than 1% suggests a very low probability that attackers are actively targeting this flaw. The vulnerability is not listed in the CISA KEV catalog. Because the flaw allows blind SQL injection, an attacker who can send crafted HTTP requests to the plugin endpoints could potentially read sensitive data or modify database tables, depending on permissions of the underlying database user. The attack vector is likely remote, requiring access to the web application, and no local privileges are necessary. Remediation is available by upgrading the plugin.