CVE-2016-20063 HIGH

CVE-2016-20063: Single Personal Message 1.0.3 WordPress Plugin SQL Injection

Vendor Md. Shamim Shahnewaz
Product Single Personal Message
Weakness CWE-89 · SQLi
Published June 9, 2026
Last update June 9, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to extract sensitive database information including user credentials and site configuration data.

Explanation of Vulnerability in Simple Terms

02Summary

Single Personal Message versions 1.0.3 and earlier contain a SQL injection vulnerability. An attacker with low-level user privileges can inject malicious SQL commands through unfiltered input, potentially reading or modifying database contents. The vulnerability requires network access and valid user credentials to exploit.

What an attacker can do

03Attacker Capabilities

Read or modify database contents by injecting SQL commands through the application.

Potential impact on your site

04Site Impact

Database contents may be exposed or altered by authenticated attackers; sensitive data could be compromised.

Conditions required to exploit

05Prerequisites

Attacker must have low-level user account credentials and network access to the application.

Key dates

06Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated

Related vulnerabilities

08Related CVE