The vulnerability is a classic SQL injection flaw in the WC Vendors Marketplace plugin for WordPress. By failing to properly neutralize special elements in an SQL command, an attacker can inject malicious SQL code that the database will execute. The flaw can be exploited in a blind fashion, potentially allowing the attacker to read, alter, or delete data stored in the underlying database. This compromise would affect data confidentiality, integrity, and could ultimately affect availability if the database is overloaded or corrupted. The weakness is identified as CWE–89, a common injection vulnerability.

The issue impacts installations of the WCVendors WC Vendors Marketplace plugin for WordPress version 2.5.6 and earlier. Systems running any of these versions should consider themselves vulnerable, as the problem was present from the initial release up through the last affected version.

The CVSS score of 7.6 classifies the flaw as high severity, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. Although the vulnerability is not listed in the CISA KEV catalog, it remains a serious concern because a successful blind SQL injection can expose or alter sensitive data in the website’s database. The attacker can typically reach the vulnerable code by sending crafted input through the plugin’s web interface or REST endpoints, so any system without sufficient input filtering, web application firewalls, or least‑privilege database permissions is at risk. The lack of immediate exploitation evidence does not reduce the need for corrective action, as the flaw remains present in all versions up to and including 2.5.6.