Impact
The vulnerability is a classic SQL injection flaw in the GamiPress WordPress plugin that allows attackers to inject arbitrary SQL statements through the subscriber functionality. The likely attack vector is via web requests to the plugin’s subscriber endpoints, though the description does not explicitly state this; it is inferred from the nature of the flaw and the mention of subscriber-based injection. Successful exploitation could enable an attacker to read sensitive data, alter or delete database records, or possibly gain further access depending on the privileges of the database user account. This impact includes potential confidentiality, integrity, and availability compromise for the site’s data.
Affected Systems
The GamiPress plugin developed by Ruben Garcia, versions 7.8.7 and earlier, are affected. The issue has been fixed in version 7.8.8 and later, so sites using those releases are no longer vulnerable.
Risk and Exploitability
The EPSS score for this vulnerability is less than 1%, indicating a low probability of being actively exploited, and it is not listed in CISA’s KEV catalog. Despite the low EPSS, the CVSS score of 8.5 signifies that the flaw, if exploited, would lead to significant data exposure or damage. Exposure may be achievable through unauthenticated or authenticated web traffic to the subscriber endpoints, depending on site configuration. The combination of high severity and the possibility of remote exploitation creates a notable risk that warrants prompt remediation.
OpenCVE Enrichment