Security Alert Summary
A Blind SQL Injection vulnerability has been reported in WPMU DEV – Your All-in-One WordPress Platform Broken Link Checker (broken-link-checker). The issue allows SQL injection against the plugin and affects versions through 2.4.7. Site owners should review whether they use the affected plugin and follow recommended mitigation steps.
CVE Details
- CVE ID: CVE-2026-39466
- Affected component: WPMU DEV – Your All-in-One WordPress Platform Broken Link Checker (broken-link-checker)
- Affected versions: from n/a through <= 2.4.7
- Published: April 8, 2026 at 9:16:21 AM
- Last modified: April 8, 2026 at 9:16:21 AM
- CVSS v3.1 base score / severity / vector: Not provided in the CVE record
- Authentication / privileges / user interaction: Not specified in the CVE record
- Primary impact: Confidentiality – potential unauthorized retrieval of database data via SQL injection. Integrity and Availability: not specified in this CVE.
- Weakness: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
Technical Details
The vulnerability is described as an SQL Injection (Blind SQL Injection) in the Broken Link Checker plugin. In this class of vulnerability, input that is used to build SQL commands is not properly neutralized, allowing an attacker to inject SQL fragments. The CVE indicates the plugin allows blind SQL injection but does not name specific functions, REST API endpoints, or code paths.
Because the report specifies blind SQL injection, an attacker who can supply crafted input may be able to infer database content through boolean or timing-based techniques. The CVE does not provide details about required attacker privileges, the exact vectors used, or whether additional checks (such as capability checks or prepared statements) are missing in specific functions.
How This Could Impact Your Website
In a typical WordPress setup, multiple people interact with the site: the site owner, internal staff who publish or manage content, and external contractors or contributors. If an attacker can exploit a blind SQL injection in a plugin, they may be able to retrieve information stored in the site’s database that they are not authorized to see. Realistic consequences include exposure of user data such as internal user email addresses, which can increase the risk of targeted phishing or social engineering campaigns against staff or contractors.
For example, an external contractor with limited upload or input capabilities could supply data that is processed by the vulnerable plugin, allowing an attacker to extract records over multiple interactions without directly modifying the site. The CVE does not claim full site compromise or remote code execution; impacts are limited to what blind SQL injection can expose or infer from the database.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can supply input to plugins.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior that could indicate exploitation attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
