The vulnerability is a classic SQL injection flaw that occurs when the plugin fails to properly neutralize special characters in user-supplied input before incorporating them into an SQL statement. This weakness (CWE‑89) allows an attacker to inject arbitrary SQL code, potentially gaining read or write access to the database and exposing sensitive information or altering data. The impact is the compromise of data confidentiality and integrity, with the theoretical possibility of further exploitation if the database contains privileged data or stored procedures. The flaw is identified as CWE-89, representing improper neutralization of SQL command elements.

The issue affects the Pantherius Modal Survey WordPress plugin up to and including version 2.0.2.0.1. All installations of this plugin that have not been patched beyond that revision are vulnerable.

The CVSS score of 9.3 reflects a very high severity, underscoring the risk to data integrity and confidentiality. The EPSS score of less than 1% indicates that publicly available exploitation is unlikely, but the explosive potential of the flaw means that once discovered an attacker could launch a targeted attack. The vulnerability is not presently listed in CISA’s KEV catalog, meaning no confirmed widespread exploitation has been reported yet. An attacker would likely trigger the flaw via a crafted HTTP request to the plugin’s form handling endpoint, exploiting the lack of input sanitization. Because the CVE description does not explicitly state the entry point, the attack vector is inferred from the described behavior and typical plugin architecture.