VYPR
← All advisories
High severity8.2NVD Advisory· Published Jun 15, 2026

CVE-2016-20072

CVE-2016-20072

Description

BBS e-Franchise 1.1.1 WordPress plugin has an unauthenticated SQL injection via uid, allowing extraction of sensitive database data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BBS e-Franchise 1.1.1 WordPress plugin has an unauthenticated SQL injection via uid, allowing extraction of sensitive database data.

Vulnerability

The BBS e-Franchise plugin for WordPress, version 1.1.1 and earlier, contains an SQL injection vulnerability in the uid parameter. The parameter is not sanitized or escaped before being used in database queries [1][2]. The vulnerability is reachable when the plugin's shortcode is used on a page or post, making it accessible to unauthenticated visitors [2].

Exploitation

An attacker needs only network access to the WordPress site. No authentication is required. The attacker must first identify a page or post that uses the BBS e-Franchise shortcode. Then, a crafted request can be made by appending a malicious uid parameter to the URL, such as: ?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1 [2]. This UNION-based injection allows the attacker to retrieve arbitrary data from the WordPress database.

Impact

Successfully exploiting this vulnerability allows an unauthenticated attacker to execute arbitrary SQL queries, leading to the extraction of sensitive information such as user credentials, email addresses, taxonomy terms, and other data stored in the WordPress database [1]. The impact is primarily on confidentiality, with potential for privilege escalation if attacker gains access to admin credentials.

Mitigation

As of the available references, no official patch has been released for this vulnerability [1][2]. The BBS e-Franchise plugin appears to be discontinued. The recommended mitigation is to remove or replace the plugin with an alternative that is actively maintained. There is no known workaround [1].

References
  1. BBS e-Franchise 1.1.1 WordPress Plugin SQL Injection via uid
  2. OffSec’s Exploit Database Archive

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `$_GET['uid']` parameter is not escaped before being used in a SQL query, enabling unauthenticated SQL injection."

Attack vector

An unauthenticated attacker sends an HTTP GET request to any WordPress page or post that includes the BBS e‑Franchise shortcode, appending a malicious `uid` parameter. Because the plugin fails to escape or sanitize the `uid` value [CWE-89], the attacker can inject a UNION‑SELECT payload to extract arbitrary data from the WordPress database—for example, usernames, password hashes, or taxonomy terms from `wp_terms`. The exploit works remotely over HTTP with no prior authentication required.

Affected code

The SQL injection occurs in the BBS e‑Franchise 1.1.1 plugin for WordPress. The plugin reads the `uid` parameter directly from `$_GET['uid']` without escaping it before using it in a SQL query. Any page or post that embeds the plugin's shortcode exposes this vulnerable parameter to unauthenticated visitors.

What the fix does

No official patch has been published by the vendor; the advisory states "vendor not found" as of the disclosure date. To remediate the vulnerability, the plugin must escape the `uid` parameter—e.g., by casting it to an integer with `intval()` or using a prepared statement—before including it in a SQL query. Without such sanitization, any unauthenticated visitor can inject arbitrary SQL commands through the `uid` parameter.

Preconditions

  • authNo authentication required
  • configThe target WordPress site must have the BBS e-Franchise 1.1.1 plugin installed and active
  • inputAttacker must find a page or post that uses the plugin's shortcode
  • networkHTTP GET requests to the target page

Reproduction

The public PoC shows the following request:

``` http://target/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1 ```

Replace the target URL with any WordPress page that renders the plugin's shortcode and append the malicious `uid` parameter.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.