PatchSiren cyber security CVE debrief

CVE-2016-0769 Elfden CVE debrief

CVE-2016-0769 is a set of SQL injection vulnerabilities in the eShop plugin 6.3.14 for WordPress, affecting eshop-orders.php. According to the CVE record, the issue was publicly disclosed on 2017-01-23 and carries a high severity score (CVSS 8.8). The described impact is serious: a remote administrator can execute arbitrary SQL through the delid parameter, and remote authenticated users can do the same through the view, mark, or change parameters.

Vendor: Elfden
Product: CVE-2016-0769
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Organizations running WordPress sites with the eShop plugin 6.3.14, especially teams that allow multiple privileged or authenticated users to manage orders. Security teams, WordPress administrators, and incident responders should prioritize any deployment that still exposes the affected order-management workflow.

Technical summary

The vulnerability is a class of SQL injection (CWE-89) in eshop-orders.php. The NVD record maps the affected CPE to eShop plugin 6.3.14 for WordPress and lists a CVSS v3.0 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The CVE description identifies four injection-capable parameters: delid for remote administrators, and view, mark, and change for remote authenticated users.

Defensive priority

High. The combination of network reachability, low attack complexity, and high confidentiality/integrity/availability impact makes this a priority issue for any exposed deployment of the affected plugin version.

Recommended defensive actions

Inventory WordPress sites for eShop plugin 6.3.14 and confirm whether eshop-orders.php is reachable.
Upgrade or remove the affected plugin version if a fixed release is available from the vendor or maintainers.
Restrict access to order-management functions to the smallest possible set of trusted accounts.
Review logs and database activity for unexpected queries or changes involving order-management actions.
If abuse is suspected, rotate credentials for privileged WordPress accounts and inspect database integrity.
Validate exposure against the official CVE and NVD records before taking remediation steps.

Evidence notes

This debrief is based only on the supplied CVE summary and official record fields. The source corpus states multiple SQL injection vulnerabilities in eshop-orders.php in eShop plugin 6.3.14 for WordPress, with parameters delid, view, mark, and change. The NVD metadata includes CWE-89, the affected CPE for elfden:eshop_plugin:6.3.14 on WordPress, and the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Timeline context uses the supplied CVE published date of 2017-01-23 and modified date of 2026-05-13.

Official resources

CVE-2016-0769 CVE record
CVE.org
CVE-2016-0769 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Publicly disclosed in the CVE record on 2017-01-23. The supplied references indicate earlier third-party advisory activity in 2016.