CVE-2016-20072
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
The BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.
Risk Assessment
This vulnerability poses a serious risk to the security of data within the organization, allowing attackers access to sensitive information. It could lead to privacy breaches and loss of trust in the system.
Recommendation
It is recommended to immediately update the BBS e-Franchise plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of the database is advisable to detect potential breaches.
Original NVD description (English source)
BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.

