VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 123 of 512
  • CVE-2023-5465HigNov 22, 2023
    risk 0.50cvss 8.8epss 0.01

    The Popup with fancybox plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-47637HigNov 15, 2023
    risk 0.50cvss 8.8epss 0.01

    Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One…

  • CVE-2022-45373HigNov 6, 2023
    risk 0.50cvss 8.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics allows SQL Injection.This issue affects Slimstat Analytics: from n/a through 5.0.4.

  • CVE-2023-5464HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Jquery accordion slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…

  • CVE-2023-5439HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Wp photo text slider 50 plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes…

  • CVE-2023-5438HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The wp image slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5437HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The WP fade in text news plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5436HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Vertical marquee plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5435HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.…

  • CVE-2023-5434HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Superb slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes…

  • CVE-2023-5433HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Message ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5431HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Left right image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.…

  • CVE-2023-5430HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Jquery news ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5429HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5428HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Image vertical reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.…

  • CVE-2023-5412HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2023-4598HigOct 20, 2023
    risk 0.50cvss 8.8epss 0.01

    The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-5336HigOct 19, 2023
    risk 0.50cvss 8.8epss 0.01

    The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…

  • CVE-2023-3677HigAug 31, 2023
    risk 0.50cvss 8.8epss 0.01

    The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to SQL Injection via the pageId parameter in versions up to, and including, 1.2.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. …

  • CVE-2020-24950HigAug 11, 2023
    risk 0.50cvss 8.8epss 0.01

    SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.