An SQL Injection vulnerability exists in the WPAMS apartment‑management plugin for WordPress due to improper neutralization of special elements used in SQL commands, a flaw categorized as CWE‑89. The flaw allows an attacker to inject arbitrary SQL statements into database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The description states the issue allows SQL Injection, indicating that, if exploited, the attacker could gain extensive control over the database content and compromise the confidentiality, integrity, and availability of the application data.

The plugin affected is WPAMS apartment‑management for WordPress, from its initial release through version 44.0 released 17‑08‑2023. Any WordPress site running that plugin or any earlier revision is vulnerable.

The CVSS score of 9.3 reflects a very high severity, and the EPSS score of less than 1% indicates that, at the moment of analysis, exploitation attempts are rare or low‑probability, but the potential impact remains significant. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves supplying crafted input to the plugin’s interface; specific authentication prerequisites are not detailed, so it is prudent to treat the vulnerability as exploitable by an attacker who can interact with the plugin’s functionality.