CVE-2016-20063

Deferred Deferred - Pending Action

SQL Injection in Single Personal Message

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to extract sensitive database information including user credentials and site configuration data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-09

Generated

2026-06-09

AI Q&A

2026-06-09

EPSS Evaluated

N/A

NVD

CVE-2016-20063

EUVD

EUVD-2016-10876

Affected Vendors & Products

Vendor	Product	Version / Range
mdshamim_shahnewaz	single_personal_message	to 1.0.3 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The Single Personal Message WordPress plugin version 1.0.3 contains an SQL injection vulnerability. This flaw allows authenticated users to inject malicious SQL code through the message parameter. By exploiting this, attackers can execute arbitrary SQL queries on the database.

Specifically, attackers can access the admin interface and supply crafted SQL statements to extract sensitive information such as user credentials and site configuration data.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can retrieve user credentials and site configuration data, potentially leading to further compromise of the website.

Since the vulnerability allows execution of arbitrary SQL queries, it can be used to manipulate or extract data, disrupt site operations, or escalate privileges within the affected WordPress site.

Detection Guidance

This SQL injection vulnerability in Single Personal Message 1.0.3 can be detected by attempting to access the vulnerable message parameter with crafted SQL queries. Specifically, an authenticated user can test the $_GET['message'] parameter by injecting SQL UNION SELECT statements to see if arbitrary SQL queries are executed.

A practical detection method involves accessing a URL on the WordPress site that includes a crafted SQL injection payload in the message parameter, such as a UNION SELECT statement targeting known database tables like wp_terms.

Example command (using curl) to test the vulnerability might look like this:

curl -i "http://targetsite.com/wp-content/plugins/single-personal-message/?message=' UNION SELECT 1,2,3-- "

If the response contains database content or error messages indicating SQL execution, the vulnerability is present.

Compliance Impact

The SQL injection vulnerability in Single Personal Message 1.0.3 allows attackers to extract sensitive database information, including user credentials and site configuration data.

Such unauthorized access to sensitive personal and configuration data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in violations of these standards due to potential data exposure and compromise of user privacy.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable plugin by limiting authenticated user permissions, especially preventing untrusted users from accessing the message parameter.

Disabling or removing the Single Personal Message 1.0.3 plugin from the WordPress installation is recommended, as the plugin is known to be vulnerable and was removed from the WordPress Plugin Directory.

Additionally, monitor and audit logs for suspicious SQL injection attempts targeting the message parameter.

Applying web application firewall (WAF) rules to block SQL injection payloads in URL parameters can also help mitigate exploitation.

Hi! I’m here to help you understand CVE-2016-20063. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2016-20063

SQL Injection in Single Personal Message

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart