Impact
The vulnerability is an injection flaw in the uid parameter of the BBS e‑Franchise WordPress plugin that allows unauthenticated attackers to inject arbitrary SQL code, enabling them to read sensitive data such as user records and taxonomy terms from the WordPress database. The flaw is a classic SQL injection weakness (CWE‑89).
Affected Systems
The affected product is the bbsetheme BBS e‑Franchise plugin for WordPress, currently at version 1.1.1. Any WordPress site that uses this plugin’s shortcode on publicly accessible pages is at risk.
Risk and Exploitability
With a CVSS score of 8.8, the vulnerability represents a high severity condition that can be exploited without authentication. EPSS score of < 1% indicates a very low probability of exploitation, and the flaw is not listed in CISA KEV. An attacker can craft a request containing a UNION‑based injection payload to the uid parameter and execute arbitrary SQL queries against the database without needing prior credentials.
OpenCVE Enrichment