The vulnerability is an improper neutralization of special elements used in an SQL command, allowing blind SQL injection within the Ninja Tables plugin. An attacker can craft inputs that bypass the plugin’s filtering and execute arbitrary SQL statements against the WordPress database. This enables the extraction of sensitive data, modification of records, or potential escalation to full site compromise if the extracted data includes authentication or configuration values. The weakness is classified as CWE-89.

The affected product is the Ninja Tables plugin by Shahjahan Jewel for WordPress sites. Versions from the first available release up to and including 5.2.4 are vulnerable. The issue is present regardless of the WordPress core version, as it originates in the plugin’s PHP code that builds SQL queries.

The CVSS score of 8.5 indicates a high impact, while the EPSS score of less than 1% indicates a very low likelihood that this vulnerability is actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation. Based on the description, the likely attack vector involves submitting specially crafted input via a form or URL that the plugin processes, and the attacker would need network access to the WordPress site. Because the SQL injection is blind, the attacker does not need to see error messages or query results; they can infer information through time delays or other side channels.