{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39466", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:41:57.169Z", "datePublished": "2026-04-08T08:30:07.229Z", "dateUpdated": "2026-04-08T08:30:07.229Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "broken-link-checker", "product": "Broken Link Checker", "vendor": "WPMU DEV - Your All-in-One WordPress Platform", "versions": [{"changes": [{"at": "2.4.8", "status": "unaffected"}], "lessThanOrEqual": "2.4.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.218Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.<p>This issue affects Broken Link Checker: from n/a through <= 2.4.7.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:07.229Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/broken-link-checker/vulnerability/wordpress-broken-link-checker-plugin-2-4-7-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Broken Link Checker plugin <= 2.4.7 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7."}], "id": "CVE-2026-39466", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:21.830", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/broken-link-checker/vulnerability/wordpress-broken-link-checker-plugin-2-4-7-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.4.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "broken_link_checker", "vendor": "wpmu_dev_-_your_all-in-one_wordpress_platform"}], "analysis": {"en": {"generated_at": "2026-04-08T09:28:08.386024+00:00", "value": {"mitigation_remediation": ["Upgrade the Broken Link Checker plugin to a version newer than 2.4.7, preferably to the latest stable release."], "summary": {"action": "Immediate Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Broken Link Checker plugin, made available by WPMU DEV \u2013 Your All-in-One WordPress Platform. All releases up to and including version 2.4.7, and any versions preceding 2.4.7 as described by the vendor, are susceptible.", "description_and_impact": "This vulnerability is a classic SQL injection flaw, allowing attackers to embed arbitrary SQL code into the WordPress Broken Link Checker plugin\u2019s queries. As a result an attacker could retrieve, modify, or delete data from the site\u2019s database, potentially exposing sensitive user information or compromising the entire site\u2019s integrity. The weakness is identified as CWE-89, indicating that user input is improperly sanitized before inclusion in a database query.", "risk_and_exploitability": "The lack of a public CVSS score or EPSS value means the quantifiable severity cannot be expressed, but the nature of the flaw \u2013 blind SQL injection \u2013 suggests a high potential impact if exploited. The attack vector is inferred to be via the plugin\u2019s HTTP request handling, as the plugin interacts with external URLs to verify links. No publicly known exploit exploits have been reported, nor is the vulnerability listed in CISA\u2019s KEV catalog, indicating that while the risk exists, the likelihood of exploitation may currently be moderate. Nonetheless, web administrators should treat it as a serious threat that could lead to database compromise."}}}}, "created": "2026-04-08T19:43:23.923444+00:00", "updated": "2026-04-09T08:22:17.854100+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpmu_dev_-_your_all-in-one_wordpress_platform", "wpmu_dev_-_your_all-in-one_wordpress_platform$PRODUCT$broken_link_checker"]}