The vulnerability arises from the Revy WordPress plugin's failure to properly escape user-controlled input before incorporating it into SQL statements, allowing attackers to inject arbitrary SQL commands. This flaw, categorized as CWE-89, can enable unauthorized database access, data exfiltration, and modification, potentially compromising the confidentiality, integrity, and availability of site data. The CVE notes that the issue affects all Revy releases up to and including version 2.1. The description does not detail symptoms, but any execution of injected SQL could result in data leakage, credential theft, or full site compromise. Attackers would need to supply crafted input, typically through web forms or URL parameters, to exploit the flaw.

Affected by this vulnerability are installations of the RoninWP Revy plugin running version 2.1 or earlier. The plugin is a WordPress add‑on that provides certain functionalities; users who have not upgraded beyond the stated version are at risk. No additional third‑party components are identified as affected within the provided data.

The CVSS 8.5 score indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no widespread confirmed exploitation. Based on the description, the likely attack vector is remote, via standard HTTP requests to the WordPress site where the plugin processes input. An attacker would need valid authentication or a user session to submit the malicious payload, but the vulnerability itself can be triggered without elevated privileges if the plugin processes publicly accessible input fields.