This vulnerability in the StoryMap WordPress plugin arises from a CSRF issue that facilitates SQL Injection attacks. Specifically, an attacker can exploit the CSRF weakness to trick an authenticated user into submitting malicious requests that execute unauthorized SQL commands on the backend database. The affected versions include all releases up to and including 2.1. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges but requires user interaction. The vulnerability impacts confidentiality and availability with high confidentiality impact and low availability impact.

Successful exploitation can lead to unauthorized SQL commands being executed on the database, potentially exposing or altering sensitive data. The confidentiality impact is high, as indicated by the CVSS score, while integrity impact is not indicated. Availability impact is low. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the StoryMap plugin to mitigate risk. Applying standard CSRF protections and limiting user privileges may reduce exposure but do not fully mitigate the SQL Injection risk inherent in this vulnerability.