The vulnerability arises from an improper neutralization of special characters in SQL commands, allowing an attacker to inject malicious SQL statements through the WP Text Expander plugin. This flaw is a classic SQL Injection weakness (CWE-89) that can lead to unauthorized reading of database tables, data tampering, or credential theft by exploiting the database connection used by the plugin. The plugin’s lack of input validation permits attackers to embed arbitrary SQL directly into requests, potentially compromising all data stored in the vulnerable WordPress installation.

Affected products include the WP Text Expander plugin developed by Andrei Filonov, specifically versions from the initial release through version 1.0.1 inclusive. Any WordPress site that has installed or is running any of these plugin versions is impacted. No additional vendor or product versions are listed.

The CVSS score of 7.6 classifies the vulnerability as high severity, and the EPSS score indicates a very low exploitation probability (< 1%). The vendor has not listed this issue in CISA’s KEV catalog, suggesting no known active exploitation. Attackers would need to find a way to send crafted requests to the plugin’s interface (likely via a public-facing web form or endpoint). Once successful, the attacker could read or manipulate database content, achieving a breach of confidentiality and potential integrity of stored data.