The vulnerability is improper neutralization of special elements used in an SQL command (CWE‑89) in the NGG Smart Image Search plugin, allowing attackers to inject arbitrary SQL through crafted input in search or administrative requests. This can lead to unauthorized read, modify or delete operations on the WordPress database, compromising confidential site data. Based on the description, the attack likely involves a user submitting malicious input to the plugin’s search interface or related endpoints; however, the precise privilege level required is not specified in the advisory.

The WordPress NGG Smart Image Search plugin from wpo‑HR, versions up through 3.4.1, is affected. Any WordPress site that has a vulnerable version of this plugin installed is at risk. The flaw resides in the plugin’s PHP code that builds SQL queries without proper escaping.

The CVSS base score of 9.3 indicates critical severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time, though the vulnerability remains widely available. Attackers can exploit the flaw via crafted web requests to the plugin’s interfaces, potentially gaining database access or modifying content. The vulnerability is not listed in CISA’s KEV catalog, but the high CVSS score warrants urgent remediation.