VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 135 of 512
  • CVE-2025-32124HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Blind SQL Injection.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.

  • CVE-2025-32122HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.This issue affects uListing: from n/a through <= 2.2.0.

  • CVE-2025-32121HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows SQL Injection.This issue affects Video & Photo Gallery for Ultimate Member: from n/a…

  • CVE-2025-32120HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in edanzer Easy Query – WP Query Builder easy-query allows Blind SQL Injection.This issue affects Easy Query – WP Query Builder: from n/a through <= 2.0.4.

  • CVE-2025-2317HigApr 4, 2025
    risk 0.49cvss 7.5epss 0.00

    The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…

  • CVE-2025-31910HigApr 1, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems BookingPress bookingpress-appointment-booking allows SQL Injection.This issue affects BookingPress: from n/a through <= 1.1.28.

  • CVE-2025-31099HigMar 28, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestweblayout Slider by BestWebSoft slider-bws allows SQL Injection.This issue affects Slider by BestWebSoft: from n/a through <= 1.1.0.

  • CVE-2025-22652HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack payment-forms-for-paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through <= 4.0.1.

  • CVE-2025-30921HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Software Newsletters newsletters-lite allows SQL Injection.This issue affects Newsletters: from n/a through <= 4.9.9.7.

  • CVE-2025-30879HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moreconvert Team MC Woocommerce Wishlist smart-wishlist-for-more-convert allows SQL Injection.This issue affects MC Woocommerce Wishlist: from n/a through <= 1.8.9.

  • CVE-2025-30843HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in setriosoft bizcalendar-web bizcalendar-web allows SQL Injection.This issue affects bizcalendar-web: from n/a through <= 1.1.0.34.

  • CVE-2025-30791HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdever Cart tracking for WooCommerce cart-tracking-for-woocommerce allows SQL Injection.This issue affects Cart tracking for WooCommerce: from n/a through <= 1.0.16.

  • CVE-2025-30765HigMar 27, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPPOOL FlexStock stock-sync-with-google-sheet-for-woocommerce allows Blind SQL Injection.This issue affects FlexStock: from n/a through <= 3.13.1.

  • CVE-2025-30217HigMar 26, 2025
    risk 0.49cvss 7.5epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for…

  • CVE-2024-44903HigMar 25, 2025
    risk 0.49cvss 7.5epss 0.00

    SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second part of the full= inner variable.

  • CVE-2025-30604HigMar 24, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jiangqie JiangQie Official Website Mini Program jiangqie-official-website-mini-program allows Blind SQL Injection.This issue affects JiangQie Official Website Mini Program: from…

  • CVE-2025-30571HigMar 24, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in STEdb Corp. STEdb Forms stedb-forms allows SQL Injection.This issue affects STEdb Forms: from n/a through <= 1.0.4.

  • CVE-2025-30570HigMar 24, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AliRezaMohammadi دکمه، شبکه اجتماعی خرید dokme allows SQL Injection.This issue affects دکمه، شبکه اجتماعی خرید: from n/a through <= 2.0.6.

  • CVE-2025-30525HigMar 24, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ProfitShare.ro WP Profitshare wp-profitshare allows SQL Injection.This issue affects WP Profitshare: from n/a through <= 1.4.9.

  • CVE-2025-30523HigMar 24, 2025
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Marcel-NL Super Simple Subscriptions super-simple-subscriptions allows SQL Injection.This issue affects Super Simple Subscriptions: from n/a through <= 1.1.0.