Impact
The flaw is an unsanitized contributor input that allows attackers to inject arbitrary SQL statements into the plugin’s database queries. This injection can be used to read, modify, or delete content in the WordPress database, potentially exposing sensitive information or corrupting site data. It is classified as CWE‑89, typical of input‑validation bypasses that let attackers run unintended SQL commands.
Affected Systems
The affected product is the iNET Webkit plugin for WordPress, version 1.2.4. Site administrators should verify if their WordPress installation employs this plugin and take remedial action if so.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity vulnerability. The flaw is not listed in the CISA KEV catalog. Because the input that triggers the injection is a contributor parameter, the most likely attack vector is remote exploitation via crafted HTTP requests to the plugin’s contributor endpoint. Successful exploitation could lead to extensive data exposure or site compromise.
OpenCVE Enrichment