Improper neutralization of special characters in SQL commands allows an attacker to inject SQL through the TaxoPress plugin on WordPress sites. The flaw is a classic SQL injection (CWE‑89) and manifests as a blind injection, meaning the attacker may not see immediate error messages but can infer data through timing or other side channels. An attacker could extract sensitive database contents or alter data without authentication.

All WordPress sites that have the TaxoPress simple‑tags plugin v3.44.0 or earlier installed are impacted. The plugin is authored by Steve Burge and the vulnerability spans all versions from the earliest available until 3.44.0 inclusive.

The CVSS score of 7.6 indicates a high severity vulnerability that can be exploited remotely via the web interface. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web request sent to the plugin’s endpoints; an attacker with local network or internet access to the WordPress site can craft payloads that trigger blind SQL queries, eventually revealing or manipulating data. The lack of an immediate error response makes detection harder, increasing risk if the site is exposed.