Impact
A classic SQL injection flaw exists in the nicen-localize-image WordPress plugin in versions up to 1.4.9. The vulnerability is triggered when the plugin receives unfiltered input that is incorporated into SQL statements. Attackers who inject malicious code can read, modify, or delete database contents, potentially compromising sensitive user data or allowing further exploitation of the underlying system.
Affected Systems
The nicen-localize-image plugin, which may be installed by any WordPress site that used versions 1.4.9 or earlier. The affected vendor information is identified as 友人a丶. No specific version matrix is provided beyond the stated upper bound, so all releases up to and including 1.4.9 should be treated as vulnerable.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity level. Although the EPSS score is not available, the lack of restriction on the attacker’s ability to deliver payloads suggests a realistic exploitation risk. This vulnerability has not been listed in the CISA KEV catalog, but its inherent ability to compromise database integrity warrants immediate attention. Attackers can typically exploit the flaw via the web interface or by sending crafted requests to the plugin’s input endpoints.
OpenCVE Enrichment