PatchSiren cyber security CVE debrief
CVE-2016-20072 bbsetheme CVE debrief
The BBS e-Franchise 1.1.1 plugin for WordPress is vulnerable to an SQL injection attack. This vulnerability, tracked as CVE-2016-20072, allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database, including user information and taxonomy terms.
- Vendor
- bbsetheme
- Product
- BBS e-Franchise
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the BBS e-Franchise 1.1.1 plugin for WordPress should be aware of this vulnerability and take steps to mitigate it.
Technical summary
CVE-2016-20072 is an SQL injection vulnerability in the BBS e-Franchise 1.1.1 plugin for WordPress. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity.
Defensive priority
HIGH
Recommended defensive actions
- Update the BBS e-Franchise plugin to a version that is not vulnerable.
- Use prepared statements to prevent SQL injection attacks.
- Limit access to sensitive data in the WordPress database.
Evidence notes
The CVE-2016-20072 vulnerability was reported by an unknown vendor. The vulnerability is related to the BBS e-Franchise 1.1.1 plugin for WordPress.
Official resources
CVE-2016-20072 was published on 2026-06-15T14:16:30.377Z and has not been modified.