The flaw is an improper neutralization of special elements used in an SQL command, which permits an attacker to inject arbitrary SQL queries into the WordPress database when the CleverReach WP plugin processes input. This can lead to unauthorized reading or modification of database contents, potentially exposing sensitive data or corrupting the site’s integrity. The weakness is categorized as CWE‑89, a classic SQL injection vulnerability.

WordPress sites that have the CleverReach WP plugin installed at versions 1.5.20 or earlier are affected. The plugin is distributed by CleverReach and operates within the WordPress environment, so any site using these versions can be compromised if the vulnerability is exploited.

The CVSS score of 9.3 places the issue in the critical severity range, indicating that exploitation could have far‑reaching consequences. The EPSS score of < 1% suggests that, as of now, the estimated probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. The official description does not state an authentication requirement, so it is inferred that the attack may be feasible without prior user credentials; the most likely attack vector is an HTTP request that triggers the vulnerable plugin code, though the exact mechanism is not detailed in the CVE entry.