Impact
The vulnerability is an improper neutralization of special characters in an SQL command, classified as SQL Injection (CWE‑89). An attacker can craft input that is incorporated into database queries without proper sanitization, resulting in a blind SQL Injection that may allow reading or altering the WordPress site’s database. The defect could lead to compromise of sensitive information, disruption of service, or unauthorized data tampering.
Affected Systems
The flaw is present in the VillaTheme GIFT4U WordPress plugin version 1.0.10 and all earlier releases. Sites running this plugin, whether self‑hosted or via standard WordPress installations, are susceptible until the plugin is updated to version 1.1.0 or later.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote through the web interface of the plugin. While no exploit probability is provided, the high CVSS and the nature of the flaw suggest it could be exploited by unauthenticated attackers targeting exposed plugin endpoints.
OpenCVE Enrichment