The vulnerability is an improper neutralization of special elements used in an SQL command, allowing blind SQL injection. An attacker can craft malicious inputs that bypass proper escaping and reach the database engine, potentially extracting, modifying, or deleting submission data stored by the plugin. This flaw is a classic injection weakness (CWE‑89) that undermines data integrity and confidentiality for sites using the affected plugin. The impact is confined to the database statements executed by the plugin and does not directly lead to arbitrary code execution, but it can allow an attacker to gain privileged access to sensitive user submissions.

The flaw affects the WordPress plugin Aman Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend, versions from the initial release through any release up to and including 3.3.2. No further product or vendor names are explicitly enumerated beyond the plugin itself.

The CVSS score of 8.5 indicates high severity, and the EPSS score is not available, so the current estimate of exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote since the plugin processes data submitted via the frontend; an attacker can submit malicious payloads through exposed form fields to trigger the injection. No additional prerequisites are publicly documented, suggesting that the flaw can be exploited by anyone who can access the vulnerable form pages.