Impact
The Unicamp theme for WordPress contains a flaw that allows an attacker to inject arbitrary SQL through the subscription interface. The input is improperly sanitized, permitting malicious SQL fragments to be appended to the query used when storing subscriber data. Exploiting this weakness can lead to unauthorized read, modification, or deletion of database records, potentially exposing sensitive user information or defacing the site.
Affected Systems
WordPress installations running the Unicamp theme version 2.2.2 or earlier. The theme is supplied by the vendor ThemeMove under the product name Unicamp.
Risk and Exploitability
The CVSS score of 8.5 classifies the vulnerability as Critical. No EPSS score is currently available, but the lack of a KEV listing does not diminish the risk for sites that host the vulnerable theme. The likely attack vector is remote, with the attacker sending a crafted request to the subscription form accessible to any visitor. Successful exploitation would require the theme to process the input without enforcing proper escaping or prepared statements, which the current releases do not.
OpenCVE Enrichment