Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24669 | 1 Feataholic | 1 Maz Loader | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection. | |||||
| CVE-2021-24575 | 1 Igexsolutions | 1 Wpschoolpress | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated users, from simple subscribers/students to teachers and above. | |||||
| CVE-2021-24396 | 1 Bestiaweb | 1 Gseor | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-27644 | 1 Apache | 1 Dolphinscheduler | 2023-11-07 | 6.0 MEDIUM | 8.8 HIGH |
| In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | |||||
| CVE-2021-24554 | 1 Freelancetoindia | 1 Paytm-pay | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue | |||||
| CVE-2021-24390 | 1 Alipay Project | 1 Alipay | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| A proid GET parameter of the WordPress???Alipay|???Tenpay|??PayPal???? WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. | |||||
| CVE-2021-24462 | 1 Ays-pro | 1 Photo Gallery | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24521 | 1 Wow-estore | 1 Side Menu | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack. | |||||
| CVE-2021-24731 | 1 Genetechsolutions | 1 Pie Register | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. | |||||
| CVE-2021-24348 | 1 Wow-estore | 1 Side Menu | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue | |||||
| CVE-2021-25023 | 1 Optimocha | 1 Speed Booster Pack | 2023-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| The Speed Booster Pack ? PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection | |||||
| CVE-2021-24460 | 1 Ays-pro | 1 Popup Box | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24741 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | |||||
| CVE-2021-24221 | 1 Expresstech | 1 Quiz And Survey Master | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection. | |||||
| CVE-2021-24847 | 1 Wp-buy | 1 Seo Redirection-301 Redirect Manager | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The importFromRedirection AJAX action of the SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 8.2, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed | |||||
| CVE-2021-24835 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks | |||||
| CVE-2021-23214 | 3 Fedoraproject, Postgresql, Redhat | 6 Fedora, Postgresql, Enterprise Linux and 3 more | 2023-11-07 | 5.1 MEDIUM | 8.1 HIGH |
| When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. | |||||
| CVE-2021-21024 | 1 Magento | 1 Magento | 2023-11-07 | 6.5 MEDIUM | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2021-1363 | 1 Cisco | 1 Unified Communications Manager Im And Presence Service | 2023-11-07 | 5.5 MEDIUM | 8.1 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities are due to improper validation of user-submitted parameters. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database. | |||||
| CVE-2021-1355 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||