The vulnerability arises from the way the ZIP Code Based Content Protection plugin processes the 'zipcode' parameter. A lack of proper input sanitization and SQL query preparation allows attackers to inject arbitrary SQL code. This can lead to unauthorized disclosure of sensitive data, data manipulation, and potential compromise of the WordPress site's database integrity. Since the vulnerability can be exploited by unauthenticated users, it poses a significant risk to any website using this plugin. If left unpatched, attackers could leverage this weakness to conduct further attacks, exfiltrate critical information, or disrupt website operations. The vulnerability is present in plugin versions up to and including 1.0.2.

To mitigate this vulnerability, users should apply input validation and output escaping on all user-supplied input, especially the 'zipcode' parameter. Employ parameterized queries or prepared statements to prevent SQL Injection attacks. Consider implementing a Web Application Firewall (WAF) to detect and block suspicious SQL activity.