The vulnerability exists in the WordPress Geo to Lat plugin and allows attackers to perform blind SQL injection through improper neutralization of special elements used in SQL commands (CWE-89). Enabling this flaw could let a remote attacker read, modify or delete sensitive database contents, leading to significant confidentiality and integrity compromise. The description emphasizes that the issue allows blind data extraction, indicating that the attacker can infer database contents via query responses rather than direct error messages, but can still achieve substantial data exposure.

WordPress sites installing the delphiknight Geo to Lat plugin with versions up to and including 1.0.19 are affected. The vulnerability applies to any installation that has not yet upgraded beyond that version threshold.

The CVSS score of 8.5 indicates a high severity risk. EPSS score is below 1%, suggesting a low likelihood of exploitation in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. The description reports a blind SQL injection, implying that an attacker can infer data from the database, but the exact attack vector (e.g., unauthenticated request, privileged user) is not explicitly stated, so it is inferred that exploitation may require access to the plugin’s input parameters and potentially site or database access. Overall, the risk remains high due to the potential for data compromise should an attacker successfully exploit the flaw.