The vulnerability is an SQL injection flaw caused by improper handling of user input within the Learts Addons plugin. Attackers can inject malicious SQL through vulnerable parameters, allowing them to read, modify, or delete data stored in the WordPress database. The defect is mapped to CWE‑89, and the impact extends to database integrity and confidentiality for any site using the affected plugin, potentially compromising user accounts, posts, or configuration data.

The flaw affects all installations of the ThemeMove Learts Addons plugin dated before version 1.7.5. WordPress sites that have installed any previous version of this plugin are vulnerable. The vendor/product listing indicates only the ThemeMove Learts Addons plugin is impacted; no other WordPress components are listed.

The CVSS score of 9.3 denotes critical severity. The EPSS score of <1% suggests a very low likelihood of exploitation at the time of the assessment, and the vulnerability is not currently documented in the CISA KEV catalog. Nonetheless, the power of SQL injection to compromise a database means that if an attacker can reach the vulnerable endpoint, they could gain persistent access. The attack vector is inferred to be remote, requiring the attacker to craft a malicious request that reaches the plugin’s SQL processing code, which is typically exposed via public web pages of the WordPress site.