Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Administrator credentials required (PR:H); AJAX endpoint is network-reachable with no complexity (AV:N, AC:L); read-only SQL injection yields high confidentiality but zero integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.
AnalysisAI
SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with administrator-level (or higher) role assignment, consistent with the PR:H CVSS metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS score of 4.9 (Medium) and vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the bounded real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or already possesses WordPress administrator credentials authenticates to the target site and submits a crafted POST request to the plugin's AJAX handler with a manipulated delete_user_roles value containing injected SQL - for example, a UNION-based payload designed to retrieve wp_users password hashes or option table secret keys. Because wp_unslash() has already removed magic-quote escaping before parse_str() processes the body, the injected SQL reaches the class-delete-api.php sink unmodified and executes against the WordPress database, returning attacker-chosen data in the response. … |
| Remediation | Update WP Bulk Delete to a release version that incorporates the upstream fix committed to plugin trunk in SVN changeset 3608270 (https://plugins.trac.wordpress.org/changeset/3608270/wp-bulk-delete/trunk/includes/class-delete-api.php); no specific patched release version number has been independently confirmed from the available data, so monitor the WordPress plugin repository for a release beyond 1.4.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44900
GHSA-g6hr-2vmc-344h