CVE-2016-20073
Description
Unauthenticated SQL injection in Answer My Question 1.3 WordPress plugin via 'id' parameter in modal.php allows attackers to extract database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in Answer My Question 1.3 WordPress plugin via 'id' parameter in modal.php allows attackers to extract database contents.
Vulnerability
The Answer My Question plugin version 1.3 for WordPress contains an SQL injection vulnerability in the modal.php file. The id POST parameter is directly concatenated into an SQL query without proper sanitization or escaping [1]. Attackers can inject arbitrary SQL statements via the id parameter [2]. The endpoint is accessible to unauthenticated users [2].
Exploitation
An unauthenticated attacker can send a crafted POST request to modal.php with a malicious id value. For example, a proof-of-concept payload uses UNION-based injection to extract data from the wp_terms table [2]. No authentication or special network position is required; the attacker only needs the ability to send HTTP requests to the WordPress instance [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries against the WordPress database. This can lead to extraction of sensitive information such as terms, configuration data, user credentials, or other stored content [1]. The CVSS v3 score of 8.2 (High) reflects the high confidentiality impact and low integrity impact, with no authentication required [1].
Mitigation
As of the available references, the vulnerability exists in version 1.3 and earlier, and no patched version has been identified. Users are advised to uninstall or disable the plugin until a fix is released [1]. The plugin is no longer maintained on WordPress.org (the last update was in 2014) [2], so users should consider replacing it with an alternative plugin.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` POST parameter is used directly in an SQL query without escaping or parameterization."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/wp-content/plugins/answer-my-question/modal.php` with a malicious `id` value containing SQL injection payloads. The 'id' parameter is not escaped before being used in a database query, allowing UNION-based injection to extract arbitrary data from the WordPress database such as `wp_terms` table contents [ref_id=1].
Affected code
The vulnerability exists in `modal.php` of the Answer My Question 1.3 plugin for WordPress. The `id` POST parameter is passed unsanitized directly into an SQL query, making the endpoint accessible without authentication [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the recommended fix is to properly escape or parameterize the `$_POST['id']` value before using it in an SQL query. Alternatively, the plugin should validate that the input is an expected type (e.g., integer) and reject anything that does not conform. Only then can the injection be prevented from reaching the database engine.
Preconditions
- configThe Answer My Question plugin version 1.3 must be installed and active on a WordPress site.
- authNo authentication is required; the modal.php endpoint is publicly accessible.
- networkThe attacker must be able to send HTTP POST requests to the vulnerable endpoint.
- inputThe 'id' POST parameter must accept arbitrary string input—no sanitization or validation is applied.
Reproduction
1. Prepare an HTML form that POSTs to `http://localhost:1406/wp/wp-content/plugins/answer-my-question/modal.php`. 2. Set the input field `id` to a value such as `0 UNION SELECT 1,2,3,4,5,6,slug,term_group,name,10,11,12 FROM wp_terms WHERE term_id=1`. 3. Submit the form to trigger the injection. 4. Observe that the database returns rows from `wp_terms` as part of the page output [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.