VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 17 of 512
  • CVE-2024-54261CriDec 13, 2024
    risk 0.65cvss 10.0epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE Electronic HDM virtual-hdm-for-taxservice-am allows SQL Injection.This issue affects TAX SERVICE Electronic HDM: from n/a through <= 1.2.2.

  • CVE-2024-49681CriOct 24, 2024
    risk 0.65cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <=…

  • CVE-2024-40498CriAug 5, 2024
    risk 0.65cvss 9.8epss 0.01

    SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php

  • CVE-2024-3922CriJun 13, 2024
    risk 0.65cvss 10.0epss 0.56

    The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2024-3820CriJun 1, 2024
    risk 0.65cvss 10.0epss 0.01

    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the…

  • CVE-2024-0851CriMay 27, 2024
    risk 0.65cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Grup Arge Energy and Control Systems Smartpower allows SQL Injection. This issue affects Smartpower: through V24.05.27.

  • CVE-2024-0705CriJan 19, 2024
    risk 0.65cvss 9.8epss 0.03

    The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2023-25960CriNov 3, 2023
    risk 0.65cvss 10.0epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zendrop Zendrop – Global Dropshipping zendrop-dropshipping-and-fulfillment allows SQL Injection.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0.

  • CVE-2018-9230CriApr 2, 2018
    risk 0.65cvss 9.8epss 0.14

    In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web…

  • CVE-2017-17731CriDec 18, 2017
    risk 0.65cvss 9.8epss 0.13

    DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.

  • CVE-2017-16851CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.

  • CVE-2017-16850CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.

  • CVE-2017-16849CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.

  • CVE-2017-16848CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.15

    Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.

  • CVE-2017-16847CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.

  • CVE-2017-16846CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.

  • CVE-2017-11444CriJul 19, 2017
    risk 0.65cvss 9.8epss 0.13

    Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.

  • CVE-2016-8027CriMar 14, 2017
    risk 0.65cvss 10.0epss 0.06

    SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in disclosure of information within the database or impersonation of an agent without…

  • CVE-2015-8974CriJan 31, 2017
    risk 0.65cvss 10.0epss 0.02

    SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2026-50890CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.00

    Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.