The OttoKit WordPress plugin before version 1.1.23 contains a SQL injection vulnerability (CWE-89) caused by improper sanitization of user input used in SQL queries. This flaw could allow unauthenticated attackers to inject malicious SQL commands, potentially compromising the database. No CVSS score or official patch information is currently available, and no known exploits have been reported. The vulnerability was published on May 8, 2026, and was reserved on March 26, 2026.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary SQL commands on the affected WordPress site's database. This could lead to unauthorized data access, data modification, or other database-related impacts depending on the attacker's capabilities and the database configuration. No specific impact details or exploitation reports are available.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor the vendor's communications for updates. Applying general WordPress security best practices, such as limiting plugin usage and restricting database permissions, may help reduce risk but do not replace the need for a proper patch.