| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Contributor SQL Injection in Contest Gallery <= 30.0.0 versions. |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions. |
| Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions. |
| Unauthenticated SQL Injection in Quotes llama <= 3.1.5 versions. |
| Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions. |
| The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks. |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31. |
| GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. |
| Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions. |
| Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions. |
| Unauthenticated SQL Injection in 워드프레스 결제 심플페이 <= 5.5.6 versions. |
| Contributor SQL Injection in Restaurant Menu by MotoPress <= 2.4.10 versions. |
| Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions. |
| Administrator SQL Injection in WP All Import <= 4.0.1 versions. |
| The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path. |
| Sales Representative SQL Injection in Groundhogg <= 4.5 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions. |
| Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions. |
| WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information. |
| WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information. |
