MEDIUM
xylus
CVE published 2026-07-16
CVE-2026-15727
The WP Bulk Delete plugin for WordPress is vulnerable to SQL injection via the 'delete_user_roles' parameter in versions up to and including 1.4.2. The vulnerability arises from insufficient escaping of user-supplied parameters and lack of preparation on existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries, potentially extracting sensit [truncated]