CVE-2016-20063

HIGH

Single Personal Message 1.0.3 WordPress Plugin SQL Injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20063. PoCs published by Lenon Leite.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in the 'Simple Personal Message' WordPress plugin (v1.0.3) via the 'message' GET parameter, accessible to registered users. The PoC provides a crafted URL to extract data from the 'wp_terms' table.

Description

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to extract sensitive database information including user credentials and site configuration data.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Lenon Leite · textwebappsphp

https://www.exploit-db.com/exploits/40870

View Code ZIP pw:eip

The exploit demonstrates a SQL injection vulnerability in the 'Simple Personal Message' WordPress plugin (v1.0.3) via the 'message' GET parameter, accessible to registered users. The PoC provides a crafted URL to extract data from the 'wp_terms' table.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Simple Personal Message WordPress Plugin 1.0.3

Auth required

Prerequisites: Registered user account on the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 09, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit exploit

ExploitDB-40870

https://www.exploit-db.com/exploits/40870

Product product

Official Product Homepage

https://wordpress.org/plugins/simple-personal-message/

Product product

Official Product Homepage

http://lenonleite.com.br/

Third Party Advisory third-party-advisory

Reference

http://target/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=0%20UNION%20SELECT%201,2.3,name,5,slug,7,8,9,10,11,12%20FROM%20wp_terms%20WHERE%20term_id=1

Third Party Advisory third-party-advisory

VulnCheck Advisory: Single Personal Message 1.0.3 WordPress Plugin SQL Injection

https://www.vulncheck.com/advisories/single-personal-message-wordpress-plugin-sql-injection

Scores

CVSS v3 7.1

EPSS 0.0022

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Md. Shamim Shahnewaz/Single Personal Message 1.0.3

Published Jun 09, 2026

Tracked Since Jun 09, 2026