The Realtyna Organic IDX plugin suffers from an SQL Injection vulnerability (CWE-89) due to improper neutralization of special elements in SQL commands. This flaw affects all versions up to 4.14.4 and allows remote attackers to execute arbitrary SQL code without authentication or user interaction. The vulnerability has a CVSS v3.1 score of 9.3, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and complete confidentiality impact. No vendor advisory or patch is currently available, and the plugin is not a cloud service, so remediation depends on vendor action or user mitigation.

Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the affected system, potentially leading to unauthorized disclosure of sensitive data (high confidentiality impact). Integrity impact is not indicated, and availability impact is low. This could compromise the backend database of the Realtyna Organic IDX plugin, affecting data confidentiality.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the vulnerable plugin to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once available.