The vulnerability is an SQL injection flaw that results from improper neutralization of special elements in SQL commands. An attacker can inject malicious SQL through the plugin’s input handling, potentially allowing unauthorized reading, modification, or deletion of database contents. The weakness is classified as CWE‑89. The CVSS score of 7.6 indicates a high severity, meaning successful exploitation would compromise confidentiality, integrity, and possibly availability of the affected site. The server‑side input is not validated, so any crafted request to the plugin’s endpoint could be used to execute arbitrary SQL code.

WordPress installations running the Split Test For Elementor plugin from any version through 1.8.3 are affected. The problem resides in the "rocketelements" plugin, which is commonly used to manage split testing and A/B testing workflows within WordPress sites.

The EPSS score of <1 % indicates a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, its moderate to high CVSS score warrants attention. Exploitation would typically occur by sending malicious payloads to the plugin’s endpoints, which may be accessible to authenticated users or even public users depending on the site’s configuration. Successful exploitation could lead to data exfiltration, data tampering, or full compromise of the site’s database.