VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 41 of 441
  • CVE-2025-26898CriMar 27, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler.This issue affects Traveler: from n/a through < 3.2.1.

  • CVE-2025-30524CriMar 26, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog displayproduct allows SQL Injection.This issue affects Product Catalog: from n/a through <= 1.0.4.

  • CVE-2025-28942CriMar 26, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Trust Payments Trust Payments Gateway for WooCommerce trust-payments-hosted-payment-pages-integration allows SQL Injection.This issue affects Trust Payments Gateway for WooCommerce: from n/a through <= 1.1.4.

  • CVE-2025-28898CriMar 26, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows SQL Injection.This issue affects WP Multistore Locator: from n/a through <= 2.5.2.

  • CVE-2025-26941CriMar 26, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in andy_moyle Church Admin church-admin allows SQL Injection.This issue affects Church Admin: from n/a through <= 5.0.18.

  • CVE-2025-28904CriMar 25, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free web-directory-free allows Blind SQL Injection.This issue affects Web Directory Free: from n/a through <= 1.7.6.

  • CVE-2025-2200CriMar 17, 2025
    risk 0.60cvss epss 0.00

    SQL injection vulnerability in the IcProgreso Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query on the parameters user, id, idGroup, start_date and end_date in the endpoint /report/icprogreso/generar_blocks.php.

  • CVE-2025-2199CriMar 17, 2025
    risk 0.60cvss epss 0.00

    SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in ‘searchActionsToUpdate’, ‘searchSpecialitiesPending’, ‘searchSpecialitiesLinked’, ‘searchUsersToUpdateProfile’, ‘training_action_data’, ‘showContinuingTrainingCourses’ and ‘showUsersToEdit’ in /local/administration/ajax.php.

  • CVE-2025-26875CriMar 15, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.3.

  • CVE-2025-27268CriMar 3, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.18.

  • CVE-2025-26988CriMar 3, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.

  • CVE-2025-26535CriMar 3, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through <= 1.7.6.

  • CVE-2025-25150CriMar 3, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.This issue affects uListing: from n/a through <= 2.1.6.

  • CVE-2025-26974CriFeb 25, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Blind SQL Injection.This issue affects WP Multistore Locator: from n/a through <= 2.5.1.

  • CVE-2025-26943CriFeb 25, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jürgen Müller Easy Quotes easy-quotes allows Blind SQL Injection.This issue affects Easy Quotes: from n/a through <= 1.2.2.

  • CVE-2025-22290CriFeb 16, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows SQL Injection.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11.

  • CVE-2025-24667CriJan 27, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.17.

  • CVE-2025-24665CriJan 27, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Unishippers Edition small-package-quotes-unishippers-edition allows SQL Injection.This issue affects Small Package Quotes – Unishippers Edition: from n/a through <= 2.4.8.

  • CVE-2025-24664CriJan 27, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows SQL Injection.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through <= 5.0.20.

  • CVE-2025-24612CriJan 27, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ihor Kit Shipping for Nova Poshta nova-poshta-ttn allows SQL Injection.This issue affects Shipping for Nova Poshta: from n/a through <= 1.19.6.