SQL Injection Vulnerability in BBS e-Franchise Plugin for WordPress
CVE-2016-20072

8.8HIGH

Key Information:

Vendor

WordPress
Status
Bbs E-franchise
Vendor
CVE Published:
15 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2016-20072?

The BBS e-Franchise plugin for WordPress suffers from an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands. By manipulating the 'uid' parameter in requests, attackers can craft specific requests that exploit this flaw. This manipulation enables them to perform UNION-based SQL injections, leading to the unauthorized extraction of sensitive information from the WordPress database, including user credentials and taxonomy terms. Website owners using this plugin should take immediate action to mitigate the risk.

Affected Version(s)

BBS e-Franchise 1.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2016-20072 - Proof of Concept

References

https://www.exploit-db.com/exploits/40782
exploit
https://wordpress.org/plugins/bbs-e-franchise/
product
http://lenonleite.com.br/
product

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lenon Leite
.