VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 44 of 441
  • CVE-2023-52215CriJan 8, 2024
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UkrSolution Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce.This issue affects Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce: from n/a through 1.5.1.

  • CVE-2023-51469CriDec 31, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 7.1.9.6.

  • CVE-2023-51423CriDec 31, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.

  • CVE-2023-49752CriDec 20, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.

  • CVE-2023-49776CriDec 20, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

  • CVE-2023-40010CriDec 20, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2.

  • CVE-2023-49750CriDec 19, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2.

  • CVE-2023-48738CriDec 19, 2023
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1.

  • CVE-2017-17615HigDec 13, 2017
    risk 0.60cvss 8.8epss 0.00

    Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter.

  • CVE-2017-16542HigNov 5, 2017
    risk 0.60cvss 8.8epss 0.01

    Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.

  • CVE-2017-15578HigOct 18, 2017
    risk 0.60cvss 8.8epss 0.00

    In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.

  • CVE-2017-14848HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.01

    WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.

  • CVE-2017-14758HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.00

    OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.

  • CVE-2017-14757HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.00

    OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.

  • CVE-2017-14847HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14846HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14845HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14844HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter.

  • CVE-2017-14843HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla School Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14842HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.01

    Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter.