Improper Neutralization of Special Elements used in an SQL Command, commonly referred to as an SQL injection vulnerability, allows an attacker to inject malicious SQL statements into the plugin’s queries. If successful, the attacker can read sensitive data, modify or delete database records, and potentially elevate privileges to the database level. The vulnerability is present in the LambertGroup Image&Video FullScreen Background plugin.

The vulnerability affects all releases of the LambertGroup Image&Video FullScreen Background plugin for WordPress up to and including version 1.6.7. This includes installations that have not yet applied the patch contained in later releases.

With a CVSS score of 8.5, this is considered high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves manipulating the plugin’s input endpoints, which may or may not require authenticated access but generally targets the plugin’s administrative or content‑creation interfaces. Successful exploitation requires the attacker to supply crafted input that bypasses the plugin’s SQL templating, leading to unauthorized database access.