A high-severity SQL Injection vulnerability in the PhotoStack Gallery plugin could allow attackers to extract sensitive information from the site's database.

The vulnerability exists due to insufficient escaping of the 'postid' parameter in SQL queries. This allows an attacker to append malicious SQL commands to legitimate queries, potentially leading to unauthorized data retrieval.

SQL Injection can lead to the exposure of sensitive data, including user credentials, site configuration, and customer information. In some configurations, it can also be used to modify or delete database records, leading to data loss or site instability. The CVSS score of 7.5 reflects the high risk to data confidentiality.

Immediate Action: Update the PhotoStack Gallery plugin to the latest version immediately to ensure all database queries are properly parameterized.

Proactive Monitoring: Monitor database logs for unusual query patterns or errors that may indicate SQL injection attempts.

Compensating Controls: Use a Web Application Firewall (WAF) with SQL injection protection rules enabled to detect and block malicious payloads in the 'postid' parameter.

Public Exploit Available: false

Immediate patching is required to protect the site's database. Organizations should also ensure that the database user for the WordPress site has the least privileges necessary to minimize the impact of a potential injection attack.