VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 132 of 512
  • CVE-2025-58993HigSep 9, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS tutor allows SQL Injection.This issue affects Tutor LMS: from n/a through <= 3.7.4.

  • CVE-2025-58789HigSep 5, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle WP Full Stripe Free wp-full-stripe-free allows SQL Injection.This issue affects WP Full Stripe Free: from n/a through <= 8.2.5.

  • CVE-2025-58604HigSep 3, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFunnels Mail Mint mail-mint allows SQL Injection.This issue affects Mail Mint: from n/a through <= 1.18.5.

  • CVE-2025-57147HigSep 3, 2025
    risk 0.49cvss 7.5epss 0.00

    A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php.

  • CVE-2025-8858HigAug 29, 2025
    risk 0.49cvss 7.5epss 0.00

    Clinic Image System developed by Changing has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

  • CVE-2025-9172HigAug 26, 2025
    risk 0.49cvss 7.5epss 0.00

    The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…

  • CVE-2025-7670HigAug 19, 2025
    risk 0.49cvss 7.5epss 0.00

    The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2024-12612HigAug 16, 2025
    risk 0.49cvss 7.5epss 0.00

    The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient…

  • CVE-2025-6495HigJul 29, 2025
    risk 0.49cvss 7.5epss 0.00

    The Bricks theme for WordPress is vulnerable to blind SQL Injection via the ‘p’ parameter in all versions up to, and including, 1.12.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2025-7735HigJul 17, 2025
    risk 0.49cvss 7.5epss 0.00

    The Hospital Information System developed by UNIMAX has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

  • CVE-2025-49034HigJul 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows SQL Injection.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.10.2.

  • CVE-2025-54043HigJul 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES smtp-amazon-ses allows SQL Injection.This issue affects SMTP for Amazon SES: from n/a through <= 1.9.

  • CVE-2025-48301HigJul 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for SendGrid – YaySMTP smtp-sendgrid allows SQL Injection.This issue affects SMTP for SendGrid – YaySMTP: from n/a through <= 1.5.

  • CVE-2025-48299HigJul 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayExtra yayextra allows SQL Injection.This issue affects YayExtra: from n/a through <= 1.5.5.

  • CVE-2025-48161HigJul 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through <= 1.3.

  • CVE-2025-7442HigJul 11, 2025
    risk 0.49cvss 7.5epss 0.00

    The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit,…

  • CVE-2025-49870HigJul 4, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows SQL Injection.This issue affects Paid Member Subscriptions: from n/a through <= 2.15.1.

  • CVE-2025-53306HigJun 27, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in lucidcrew WP Forum Server forum-server allows SQL Injection.This issue affects WP Forum Server: from n/a through <= 1.8.2.

  • CVE-2025-53258HigJun 27, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wow-Company Hover Effects hover-effects allows SQL Injection.This issue affects Hover Effects: from n/a through <= 2.1.2.

  • CVE-2025-53256HigJun 27, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.6.