This vulnerability arises from a failure to properly neutralize special characters used in SQL commands, a classic SQL Injection flaw (CWE‑89). The flaw allows an attacker to inject arbitrary SQL statements through vulnerable input fields. If exploited, the attacker could read sensitive data from the database, modify records, or in the worst case execute administrative functions, compromising confidentiality, integrity, and potentially availability of the site.

The plugin affected is the WordPress Wp tabber widget version 4.0 and earlier. The vulnerability exists from the earliest releases through 4.0, so any WordPress installation that has not updated beyond 4.0 and that uses the plugin is susceptible.

The CVSS score of 8.5 classifies the vulnerability as high severity, indicating that an attacker could achieve full read/write access if successful. The EPSS score of less than 1% suggests that, at the time of assessment, exploitation is unlikely to be seen in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be local to the web application—an attacker can reach the vulnerable input via the public website, assuming the plugin exposes injectable parameters without proper authentication checks.