CVE-2016-20072 HIGH

CVE-2016-20072: BBS e-Franchise 1.1.1 WordPress Plugin SQL Injection via uid

Vendor Bbsetheme

Product BBS e-Franchise

Weakness CWE-89 · SQLi

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated