CVE-2026-39466
Blind SQL Injection in WPMU DEV Broken Link Checker
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpmu_dev | broken_link_checker | to 2.4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39466 is an SQL Injection vulnerability found in the WordPress Broken Link Checker plugin versions up to and including 2.4.7.
This vulnerability allows a malicious user with Editor or Developer privileges to execute unauthorized SQL commands on the website's database without proper neutralization of special elements in the SQL command.
It is classified under the OWASP Top 10 category A3: Injection and has a CVSS severity score of 7.6, indicating a moderate risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in the Broken Link Checker plugin allows attackers with Editor or Developer privileges to interact directly with the website's database, potentially leading to data theft or manipulation.
Such unauthorized access and potential data breaches can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring data integrity.
Failure to patch this vulnerability could result in violations of these standards due to compromised data security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress Broken Link Checker Plugin versions up to and including 2.4.7 and allows SQL Injection by users with Editor or Developer privileges.
To detect if your system is vulnerable, first check the installed version of the Broken Link Checker plugin. If it is version 2.4.7 or earlier, it is vulnerable.
You can check the plugin version on your WordPress site by running the following command in the WordPress root directory:
- wp plugin list --status=active | grep broken-link-checker
If the version is vulnerable, it is recommended to update the plugin to version 2.4.8 or later.
For network detection, monitoring unusual database queries or suspicious activity from users with Editor or Developer privileges may help identify exploitation attempts, but no specific detection commands are provided.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Editor or Developer privileges to interact directly with the website's database.
Potential impacts include theft or manipulation of data stored in the database.
Although considered low priority and unlikely to be exploited in targeted attacks, it is commonly used in mass-exploit campaigns affecting many websites.
Users are strongly advised to update to version 2.4.8 or later to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in the WordPress Broken Link Checker Plugin versions up to and including 2.4.7 can be mitigated by updating the plugin to version 2.4.8 or later.
Users are strongly advised to apply this update as it patches the SQL Injection vulnerability that allows malicious actors with Editor or Developer privileges to interact with the website's database.
Additionally, using mitigation services such as Patchstack's auto-updates and rapid vulnerability protection can help protect vulnerable plugins.