Skip to main content

WP Bulk Delete EUVDEUVD-2026-44900

| CVE-2026-15727 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-g6hr-2vmc-344h
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Administrator credentials required (PR:H); AJAX endpoint is network-reachable with no complexity (AV:N, AC:L); read-only SQL injection yields high confidentiality but zero integrity or availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:09 vuln.today
CVE Published
Jul 16, 2026 - 08:26 cve.org
MEDIUM 4.9

DescriptionCVE.org

The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.

AnalysisAI

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Authenticate to target WordPress site
Exploit
Send crafted POST request to AJAX delete handler
Execution
Inject SQL payload via delete_user_roles parameter
Persist
Bypass magic-quote protection via wp_unslash pre-processing
Impact
Extract sensitive data from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with administrator-level (or higher) role assignment, consistent with the PR:H CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS score of 4.9 (Medium) and vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the bounded real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or already possesses WordPress administrator credentials authenticates to the target site and submits a crafted POST request to the plugin's AJAX handler with a manipulated delete_user_roles value containing injected SQL - for example, a UNION-based payload designed to retrieve wp_users password hashes or option table secret keys. Because wp_unslash() has already removed magic-quote escaping before parse_str() processes the body, the injected SQL reaches the class-delete-api.php sink unmodified and executes against the WordPress database, returning attacker-chosen data in the response. …
Remediation Update WP Bulk Delete to a release version that incorporates the upstream fix committed to plugin trunk in SVN changeset 3608270 (https://plugins.trac.wordpress.org/changeset/3608270/wp-bulk-delete/trunk/includes/class-delete-api.php); no specific patched release version number has been independently confirmed from the available data, so monitor the WordPress plugin repository for a release beyond 1.4.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy