Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.
Published: 2026-04-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements in SQL commands, which permits blind SQL injection. An attacker can send crafted requests that result in the plugin executing unintended database queries. This could allow the attacker to read, modify, or delete site data, compromising confidentiality, integrity, and potentially availability of the application. The weakness matches CWE‑89.

Affected Systems

The flaw affects the Broken Link Checker plugin for WordPress, distributed by WPMU DEV under the Your All‑in‑One WordPress Platform brand. Versions from the earliest release through 2.4.7 are vulnerable.

Risk and Exploitability

The CVSS base score of 7.6 indicates high severity, while the EPSS score of less than 1 % suggests the exploit is not yet widely used. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through HTTP requests to the plugin’s endpoints, meaning an unauthenticated remote attacker could trigger the injection if the site is publicly accessible. Given the sensitivity of database operations, the risk to systems is significant if the plugin remains active.

Generated by OpenCVE AI on April 13, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Broken Link Checker plugin to the latest available version, which contains the fix for the SQL injection flaw.
  • If an updated version is not yet released, disable or uninstall the plugin to eliminate the attack surface until a patch is available.

Generated by OpenCVE AI on April 13, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmu Dev - Your All-in-one Wordpress Platform
Wpmu Dev - Your All-in-one Wordpress Platform broken Link Checker
Vendors & Products Wordpress
Wordpress wordpress
Wpmu Dev - Your All-in-one Wordpress Platform
Wpmu Dev - Your All-in-one Wordpress Platform broken Link Checker

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.
Title WordPress Broken Link Checker plugin <= 2.4.7 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
Wpmu Dev - Your All-in-one Wordpress Platform Broken Link Checker
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T16:50:41.598Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39466

cve-icon Vulnrichment

Updated: 2026-04-13T16:46:38.494Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:21.830

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:11Z

Weaknesses