The vulnerability is an SQL injection flaw in Miguel Useche’s JS Archive List WordPress plugin. Improper handling of user input results in unsanitized data being concatenated into SQL statements, enabling attackers to read, modify, or delete database contents. The potential impact includes loss of confidentiality and integrity of site data, as well as possible lateral movement if the database holds additional sensitive information.

All WordPress installations that have the JS Archive List plugin at a version older than 6.1.6 are affected, as the plugin is supplied by Miguel Useche and the issue exists from the earliest release through any version before 6.1.6.

The CVSS score of 9.3 marks this issue as critical; the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. It is not listed in CISA’s KEV catalog, suggesting no large‑scale documented attacks. Based on the description, it is inferred that attackers can reach the flaw by sending malicious parameters in web requests to the plugin’s endpoints, and no special local privileges are required; the vulnerability can be exploited remotely through the browser or any entity that can submit data to the post requests that the plugin handles.