The vulnerability in miniOrange Custom API for WP arises from improper neutralization of special elements used in an SQL command. The plugin builds database queries that incorporate user input without adequate sanitization, resulting in a classic SQL injection flaw (CWE‑89). An attacker can supply crafted input to inject arbitrary SQL statements, potentially accessing, modifying, or deleting database data. The consequences include loss of confidentiality, data integrity, and potentially availability if the database is corrupted.

The affected product is the miniOrange Custom API for WP plugin for WordPress. Versions from the earliest release through 4.2.2 are vulnerable, as indicated by the range "n/a through <= 4.2.2." No specific build suffixes or minor revisions were listed, so any release up to and including 4.2.2 may contain the flaw.

The CVSS score of 9.3 classifies the flaw as critical, while the EPSS score of <1% shows that, at the time of analysis, the probability of exploitation is very low but not zero. The vulnerability is not in the CISA KEV list. Because the plugin exposes API endpoints that are accessible to the public web, the likely attack vector is a remote attacker sending a malicious request to the custom API URL. No authentication requirement is mentioned in the description, so an unauthenticated attacker can craft the exploit. Given the high severity and the remote nature of the attack, administrators should treat this as an urgent threat.