CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 54 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49067 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions. | ||
| CVE-2026-48886 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions. | ||
| CVE-2026-45439 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | ||
| CVE-2026-42665 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions. | ||
| CVE-2026-42639 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. | ||
| CVE-2026-42386 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. | ||
| CVE-2026-42381 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. | ||
| CVE-2026-40798 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions. | ||
| CVE-2026-40771 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. | ||
| CVE-2026-39530 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions. | ||
| CVE-2026-39519 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. | ||
| CVE-2026-39511 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. | ||
| CVE-2026-39502 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||
| CVE-2026-39492 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions. | ||
| CVE-2026-42647 | Cri | 0.60 | 9.3 | 0.01 | Jun 11, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7. | ||
| CVE-2026-39494 | Cri | 0.60 | 9.3 | 0.00 | Jun 11, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2. | ||
| CVE-2026-10731 | Cri | 0.60 | — | 0.00 | Jun 9, 2026 | SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated… | ||
| CVE-2026-42684 | Cri | 0.60 | 9.3 | 0.00 | Jun 2, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.5.1. | ||
| CVE-2026-42672 | Cri | 0.60 | 9.3 | 0.00 | Jun 1, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1. | ||
| CVE-2026-42761 | Cri | 0.60 | 9.3 | 0.00 | May 27, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce:… |
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.
- risk 0.60cvss —epss 0.00
SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated…
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.5.1.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce:…