The Duplicate Title Checker plugin for WordPress contains a flaw that allows an attacker to embed arbitrary SQL code into a database query by supplying unsanitized input. This results in a blind SQL injection, meaning an attacker can infer information about the database state through the success or failure of crafted queries. The CVE description does not explicitly state what data can be accessed or modified, only that the injection is possible.

All WordPress installations that include the ketanajani Duplicate Title Checker plugin with a version of 1.2 or earlier are affected. Site owners should verify the plugin version and, if it is 1.2 or below, upgrade or remove the plugin.

The CVSS score of 8.5 indicates a high severity, while the EPSS score of less than 1 % shows a low but nonzero chance of exploitation. The vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is inferred from the description as a remote attacker sending crafted HTTP requests to the plugin’s input endpoint. Because the injection is blind, the attacker would need to deduce database contents or state through indirect responses, which can still allow unauthorized data retrieval or database manipulation if successfully executed.