VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 225 of 512
  • CVE-2023-28491MedDec 20, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through 1.7.6.

  • CVE-2022-47432MedNov 6, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kemal YAZICI - PluginPress Shortcode IMDB allows SQL Injection.This issue affects Shortcode IMDB: from n/a through 6.0.8.

  • CVE-2022-47430MedNov 6, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar The School Management – Education & Learning Management allows SQL Injection.This issue affects The School Management – Education & Learning Management: from n/a…

  • CVE-2022-47428MedNov 6, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpDevArt Booking calendar, Appointment Booking System allows SQL Injection.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.7.

  • CVE-2023-38391MedNov 4, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themesgrove Onepage Builder allows SQL Injection.This issue affects Onepage Builder: from n/a through 2.4.1.

  • CVE-2022-47588MedNov 3, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Peter Petreski Simple Photo Gallery simple-photo-gallery allows SQL Injection.This issue affects Simple Photo Gallery: from n/a through v1.8.1.

  • CVE-2023-25045MedOct 31, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3.

  • CVE-2023-1454MedMar 17, 2023
    risk 0.44cvss 6.3epss 0.36

    A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been…

  • CVE-2023-28108HigMar 16, 2023
    risk 0.44cvss 7.9epss 0.01

    Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper…

  • CVE-2016-8025MedMar 14, 2017
    risk 0.44cvss 6.2epss 0.07

    SQL injection vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to obtain product information via a crafted HTTP request parameter.

  • CVE-2026-27768MedMay 25, 2026
    risk 0.43cvss 6.6epss 0.00

    SQL Injection affecting the Access Manager role.

  • CVE-2026-32271HigApr 13, 2026
    risk 0.43cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through…

  • CVE-2026-24031HigMar 27, 2026
    risk 0.43cvss 7.7epss 0.00

    Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No…

  • CVE-2026-2416HigFeb 25, 2026
    risk 0.43cvss 7.5epss 0.01

    The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes…

  • CVE-2026-1581HigFeb 19, 2026
    risk 0.43cvss 7.5epss 0.02

    The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…

  • CVE-2025-12197HigNov 5, 2025
    risk 0.43cvss 7.5epss 0.17

    The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2024-45600HigDec 26, 2024
    risk 0.43cvss 7.7epss 0.00

    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.

  • CVE-2024-21514HigJun 22, 2024
    risk 0.43cvss 7.4epss 0.19

    This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed…

  • CVE-2023-1016MedJun 9, 2023
    risk 0.43cvss 6.6epss 0.01

    The Intuitive Custom Post Order plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.1.4.1, due to insufficient escaping on the user supplied 'objects' and 'tags' parameters and lack of sufficient preparation in the 'update_options' function as…

  • CVE-2023-30545HigApr 25, 2023
    risk 0.43cvss 7.7epss 0.01

    PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a…