Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0412 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2022-03-08 | 7.5 HIGH | 9.8 CRITICAL |
| The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks | |||||
| CVE-2022-0411 | 1 Asgaros | 1 Asgaros Forum | 2022-03-08 | 6.5 MEDIUM | 8.8 HIGH |
| The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection | |||||
| CVE-2022-0383 | 1 Ljapps | 1 Wp Review Slider | 2022-03-08 | 6.5 MEDIUM | 7.2 HIGH |
| The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks | |||||
| CVE-2022-25096 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2022-03-08 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php. | |||||
| CVE-2021-24704 | 1 Orange-form Project | 1 Orange-form | 2022-03-07 | 6.8 MEDIUM | 8.8 HIGH |
| In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example | |||||
| CVE-2021-24864 | 1 Wpscan | 1 Wp Cloudy | 2022-03-07 | 6.5 MEDIUM | 8.8 HIGH |
| The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue | |||||
| CVE-2022-25406 | 1 Tongda2000 | 1 Tongda2000 | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete_query.php via the DELETE_STR parameter. | |||||
| CVE-2022-25405 | 1 Tongda2000 | 1 Tongda2000 | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in change_box.php via the DELETE_STR parameter. | |||||
| CVE-2022-25404 | 1 Tongda2000 | 1 Tongda2000 | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete.php via the DELETE_STR parameter. | |||||
| CVE-2022-25149 | 1 Veronalabs | 1 Wp Statistics | 2022-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||
| CVE-2022-25403 | 1 Hospital Management System Project | 1 Hospital Management System | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| HMS v1.0 was discovered to contain a SQL injection vulnerability via the component admin.php. | |||||
| CVE-2021-44610 | 1 Bloofox | 1 Bloofoxcms | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php. | |||||
| CVE-2021-44567 | 1 Rosariosis | 1 Rosariosis | 2022-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php. | |||||
| CVE-2022-0651 | 1 Veronalabs | 1 Wp Statistics | 2022-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||
| CVE-2022-23986 | 1 Phpuploader Project | 1 Phpuploader | 2022-03-02 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors. | |||||
| CVE-2022-0255 | 1 Deliciousbrains | 1 Database Backup | 2022-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| The Database Backup for WordPress plugin before 2.5.1 does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue | |||||
| CVE-2022-0228 | 1 Sygnoos | 1 Popup Builder | 2022-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection | |||||
| CVE-2021-4208 | 1 Exportfeed | 1 Exportfeed | 2022-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege users | |||||
| CVE-2020-8242 | 1 Expressionengine | 1 Expressionengine | 2022-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack. | |||||
| CVE-2021-44302 | 1 Baicloud-cms Project | 1 Baicloud-cms | 2022-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection vulnerabilities via the tongji and baidu_map parameters in /user/ztconfig.php. | |||||