High

CVE-2016-20072: Security Advisory

CVE-2016-20072 CVSS 8.2
Who it affects
BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter.
What to do
Apply the vendor's update in your next patch window.
Deploy the fix with Action1AutomoxManageEngine Patch Manager PlusManageEngine Endpoint Central Are you exposed? Compare patch tools →

CVE-2016-20072 is a high-severity vulnerability (CVSS 8.2).

Summary

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin’s shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms.

Remediation

Apply the vendor’s update during your next patch window and verify exposure. Patch-management tools that can deploy and verify the fix include Action1, Automox, ManageEngine Patch Manager Plus, ManageEngine Endpoint Central. See our best patch management ranking.

Sources

Data as of June 16, 2026. Sources: nvd.nist.gov, lenonleite.com.br, wordpress.org, exploit-db.com, vulncheck.com. Figures are pulled from public vendor and security data and refreshed automatically.