VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 106 of 512
  • CVE-2026-39493CriJun 15, 2026
    risk 0.53cvss 9.3epss 0.00

    Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.

  • CVE-2026-39441CriJun 15, 2026
    risk 0.53cvss 9.3epss 0.00

    Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.

  • CVE-2016-20073HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php…

  • CVE-2016-20072HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode…

  • CVE-2016-20071HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with…

  • CVE-2016-20069HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar…

  • CVE-2016-20068HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the…

  • CVE-2017-20249HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Attackers can send GET requests with crafted SQL payloads in the albid parameter to…

  • CVE-2017-20247HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid parameter. Attackers can send GET requests with crafted SQL payloads in the aid…

  • CVE-2017-20246HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php…

  • CVE-2017-20245HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with…

  • CVE-2017-20244HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to…

  • CVE-2017-20243HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the…

  • CVE-2016-20065HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selectedCategory parameter. Attackers can submit POST requests to the admin-ajax.php…

  • CVE-2016-20062HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the…

  • CVE-2019-25745HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with…

  • CVE-2019-25732HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the…

  • CVE-2019-25730HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL…

  • CVE-2019-25728HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including…

  • CVE-2019-25726HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection…