CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 65 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51482 | Cri | 0.60 | 9.9 | 0.37 | Oct 31, 2024 | ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65. | ||
| CVE-2024-50479 | Cri | 0.60 | 9.3 | 0.00 | Oct 28, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through <= 1.1. | ||
| CVE-2024-49305 | Cri | 0.60 | 9.3 | 0.00 | Oct 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Email Verification for WooCommerce emails-verification-for-woocommerce allows SQL Injection.This issue affects Email Verification for WooCommerce: from n/a through <=… | ||
| CVE-2024-49246 | Cri | 0.60 | 9.3 | 0.00 | Oct 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anand23 Ajax Rating with Custom Login ajax-rating-with-custom-login allows SQL Injection.This issue affects Ajax Rating with Custom Login: from n/a through <= 1.1. | ||
| CVE-2024-47331 | Cri | 0.60 | 9.3 | 0.01 | Oct 11, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ninja Team Multi Step for Contact Form cf7-multi-step allows SQL Injection.This issue affects Multi Step for Contact Form: from n/a through <= 2.7.7. | ||
| CVE-2024-47350 | Cri | 0.60 | 9.3 | 0.00 | Oct 6, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax Search: from n/a through <= 2.8.0. | ||
| CVE-2024-3373 | Cri | 0.60 | — | 0.00 | Sep 27, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RSM Design Website Template allows SQL Injection. This issue affects Website Template: before 1.2. | ||
| CVE-2024-7735 | Cri | 0.60 | — | 0.00 | Sep 23, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Exnet Informatics Software Ferry Reservation System allows SQL Injection. This issue affects Ferry Reservation System: before 240805-002. | ||
| CVE-2024-44004 | Cri | 0.60 | 9.3 | 0.00 | Sep 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows SQL Injection.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2. | ||
| CVE-2024-43978 | Cri | 0.60 | 9.3 | 0.00 | Sep 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through < 6.9.8. | ||
| CVE-2024-43976 | Cri | 0.60 | 9.3 | 0.00 | Sep 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through <= 6.9.7. | ||
| CVE-2024-39622 | Cri | 0.60 | 9.3 | 0.00 | Aug 29, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4. | ||
| CVE-2024-38795 | Cri | 0.60 | 9.3 | 0.00 | Aug 29, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro-plugin allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4. | ||
| CVE-2024-37933 | Cri | 0.60 | 9.3 | 0.00 | Jul 12, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anhvnit Woocommerce OpenPos.This issue affects Woocommerce OpenPos: from n/a through 6.4.4. | ||
| CVE-2024-6527 | Cri | 0.60 | — | 0.01 | Jul 9, 2024 | SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affects MegaBIP software versions through 5.13. | ||
| CVE-2024-37252 | Cri | 0.60 | 9.3 | 0.01 | Jun 26, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Icegram Email Subscribers & Newsletters allows SQL Injection.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.25. | ||
| CVE-2024-6160 | Cri | 0.60 | — | 0.00 | Jun 24, 2024 | SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1. | ||
| CVE-2024-4434 | Cri | 0.60 | 9.8 | 0.37 | May 14, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the… | ||
| CVE-2024-33551 | Cri | 0.60 | 9.3 | 0.01 | Apr 29, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.This issue affects XStore Core: from n/a through 5.3.5. | ||
| CVE-2024-25927 | Cri | 0.60 | 9.3 | 0.01 | Feb 28, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Joel Starnes postMash – custom post order.This issue affects postMash – custom post order: from n/a through 1.2.0. |
- risk 0.60cvss 9.9epss 0.37
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through <= 1.1.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Email Verification for WooCommerce emails-verification-for-woocommerce allows SQL Injection.This issue affects Email Verification for WooCommerce: from n/a through <=…
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anand23 Ajax Rating with Custom Login ajax-rating-with-custom-login allows SQL Injection.This issue affects Ajax Rating with Custom Login: from n/a through <= 1.1.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ninja Team Multi Step for Contact Form cf7-multi-step allows SQL Injection.This issue affects Multi Step for Contact Form: from n/a through <= 2.7.7.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax Search: from n/a through <= 2.8.0.
- risk 0.60cvss —epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RSM Design Website Template allows SQL Injection. This issue affects Website Template: before 1.2.
- risk 0.60cvss —epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Exnet Informatics Software Ferry Reservation System allows SQL Injection. This issue affects Ferry Reservation System: before 240805-002.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows SQL Injection.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through < 6.9.8.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through <= 6.9.7.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro-plugin allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4.
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anhvnit Woocommerce OpenPos.This issue affects Woocommerce OpenPos: from n/a through 6.4.4.
- risk 0.60cvss —epss 0.01
SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affects MegaBIP software versions through 5.13.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Icegram Email Subscribers & Newsletters allows SQL Injection.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.25.
- risk 0.60cvss —epss 0.00
SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1.
- risk 0.60cvss 9.8epss 0.37
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.This issue affects XStore Core: from n/a through 5.3.5.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Joel Starnes postMash – custom post order.This issue affects postMash – custom post order: from n/a through 1.2.0.