PT-2026-60446 · WordPress · Wp Bulk Delete

·

CVE-2026-15727

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions WP Bulk Delete versions prior to 1.4.3
Description An issue exists where authenticated attackers with administrator-level access and above can perform SQL Injection. This occurs because the delete user roles parameter is not sufficiently escaped and the SQL query is not properly prepared. The process involves applying wp unslash() to the raw POST body before parse str() decomposes it, which removes WordPress magic-quotes protection and allows unescaped values to reach the SQL sink. This can be used to extract sensitive information from the database.
Recommendations Update WP Bulk Delete to version 1.4.3 or later. As a temporary mitigation, restrict access to the delete user roles parameter.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15727

Affected Products

Wp Bulk Delete