CVE-2016-20072

HIGH 8.2

BBS e-Franchise 1.1.1 WordPress Plugin SQL Injection via uid

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.

CWE	CWE-89
Vendor	bbsetheme
Product	bbs e-franchise
Published	Jun 15, 2026
Last Updated	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for bbsetheme bbs e-franchise

Be the first to know when new high vulnerabilities affecting bbsetheme bbs e-franchise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

bbsetheme / BBS e-Franchise

1.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/40782 wordpress.org: https://wordpress.org/plugins/bbs-e-franchise/ lenonleite.com.br: http://lenonleite.com.br/ vulncheck.com: https://www.vulncheck.com/advisories/bbs-e-franchise-wordpress-plugin-sql-injection-via-uid

Credits

Lenon Leite