PatchSiren cyber security CVE debrief
CVE-2026-15727 xylus CVE debrief
The WP Bulk Delete plugin for WordPress is vulnerable to SQL injection via the 'delete_user_roles' parameter in versions up to and including 1.4.2. The vulnerability arises from insufficient escaping of user-supplied parameters and lack of preparation on existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries, potentially extracting sensitive database information.
- Vendor
- xylus
- Product
- WP Bulk Delete
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of WordPress sites with the WP Bulk Delete plugin installed, especially those with administrator-level access, should be aware of this vulnerability and take immediate action to protect their sites.
Technical summary
The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.
Defensive priority
High priority for immediate patching or mitigation
Recommended defensive actions
- Apply the latest patch (version 1.4.3 or higher) for the WP Bulk Delete plugin.
- Restrict access to the WP Bulk Delete plugin to only necessary personnel.
- Monitor database activity for suspicious queries.
- Consider using a Web Application Firewall (WAF) to detect and prevent SQL injection attacks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-16T09:16:18.510Z and has not been modified since then. The NVD entry is currently being reviewed. Administrators and users of WordPress sites with the WP Bulk Delete plugin installed, especially those with administrator-level access, should verify their plugin versions and update to 1.4.3 or higher if necessary. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:18.510Z and has not been modified since then.