What the vulnerability does
01Description
Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to extract sensitive database information including user credentials and site configuration data.
Explanation of Vulnerability in Simple Terms
02Summary
Single Personal Message versions 1.0.3 and earlier contain a SQL injection vulnerability. An attacker with low-level user privileges can inject malicious SQL commands through unfiltered input, potentially reading or modifying database contents. The vulnerability requires network access and valid user credentials to exploit.
What an attacker can do
03Attacker Capabilities
Read or modify database contents by injecting SQL commands through the application.
Potential impact on your site
04Site Impact
Database contents may be exposed or altered by authenticated attackers; sensitive data could be compromised.
Conditions required to exploit
05Prerequisites
Attacker must have low-level user account credentials and network access to the application.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated