Improper neutralization of special elements in SQL commands within the PickPlugins Wishlist plugin allows an attacker to inject arbitrary SQL. This can lead to unauthorized disclosure, modification, or deletion of data stored in the WordPress site's database. The vulnerability is classified as CWE‑89: SQL Injection, and it can grant an attacker local or remote access to the site's database depending on the plugin's exposure.

The vulnerability affects WordPress sites running the PickPlugins Wishlist plugin through version 1.0.46. Any instance of the plugin at or below this version is potentially exploitable, regardless of other WordPress components or plugins. The issue originates within the Wishlist code that constructs SQL queries from user-supplied input without proper sanitization.

With a CVSS score of 8.5 the vulnerability is considered high severity. The EPSS score of less than 1% suggests a low probability of current exploitation, and it is not listed in CISA's KEV catalog. Nevertheless, the likely attack vector is via web requests that interact with the plugin’s query handling endpoints; attackers may craft requests that inject malicious SQL fragments into those requests. If exploited, the attacker could read or alter sensitive data, potentially compromising the integrity and confidentiality of the site.