CVE-2016-20072

CVE Database · CVE-2016-20072

CVE-2016-20072

· HIGHReceived

CVSS v3.1

8.2

CVSS v4.0

8.8

EPSS

0.27%

Published

Jun 15, 2026

Modified

Jun 15, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Weaknesses (CWE)

CWE-89

References (4)

http://lenonleite.com.br/

https://wordpress.org/plugins/bbs-e-franchise/

https://www.exploit-db.com/exploits/40782

https://www.vulncheck.com/advisories/bbs-e-franchise-wordpress-plugin-sql-injection-via-uid

KEV Catalog EPSS Scores Vendors All CVEs