CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,848)

page 96 of 443

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-26908	—	Hig	0.49	7.6	0.00	Apr 15, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gurmehub Kargo Entegratör kargo-entegrator allows SQL Injection.This issue affects Kargo Entegratör: from n/a through <= 1.1.14.
CVE-2025-32128	WordPress Nearby Locations	Hig	0.49	7.6	0.00	Apr 10, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in aaronfrey Nearby Locations nearby-locations allows SQL Injection.This issue affects Nearby Locations: from n/a through <= 1.1.1.
CVE-2025-32685	WordPress Wp Inquiries	Hig	0.49	7.6	0.00	Apr 9, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries wp-inquiries allows SQL Injection.This issue affects WP Inquiries: from n/a through <= 0.2.1.
CVE-2025-32677	WordPress Social Stream Design	Hig	0.49	7.6	0.00	Apr 9, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in solwininfotech WP Social Stream Designer social-stream-design allows Blind SQL Injection.This issue affects WP Social Stream Designer: from n/a through <= 1.3.
CVE-2025-32676	WordPress Verowa Connect	Hig	0.49	7.6	0.00	Apr 9, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Picture-Planet GmbH Verowa Connect verowa-connect allows Blind SQL Injection.This issue affects Verowa Connect: from n/a through <= 3.0.5.
CVE-2025-32204	WordPress Split Test For Elementor	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in rocketelements Split Test For Elementor split-test-for-elementor allows SQL Injection.This issue affects Split Test For Elementor: from n/a through <= 1.8.3.
CVE-2025-32203	WordPress Falling Things	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in manu225 Falling things falling-things allows SQL Injection.This issue affects Falling things: from n/a through <= 1.08.
CVE-2025-32127	WordPress Onoffice For Wp Websites	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in onOffice GmbH onOffice for WP-Websites onoffice-for-wp-websites allows SQL Injection.This issue affects onOffice for WP-Websites: from n/a through <= 5.7.
CVE-2025-32126	WordPress Pay With Contact Form 7	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cmsMinds Pay with Contact Form 7 pay-with-contact-form-7 allows SQL Injection.This issue affects Pay with Contact Form 7: from n/a through <= 1.0.4.
CVE-2025-32125	WordPress Silvasoft Boekhouden	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silvasoft Silvasoft boekhouden silvasoft-boekhouden allows SQL Injection.This issue affects Silvasoft boekhouden: from n/a through <= 3.0.6.
CVE-2025-32124	WordPress Portfolio Manager Powered By Behance	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Blind SQL Injection.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.
CVE-2025-32122	WordPress Ulisting	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.This issue affects uListing: from n/a through <= 2.2.0.
CVE-2025-32121	WordPress Gallery For Ultimate Member	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows SQL Injection.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through <= 1.1.3.
CVE-2025-32120	WordPress Easy Query	Hig	0.49	7.6	0.01	Apr 4, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in edanzer Easy Query – WP Query Builder easy-query allows Blind SQL Injection.This issue affects Easy Query – WP Query Builder: from n/a through <= 2.0.4.
CVE-2025-2317	WordPress Woo Product Filter	Hig	0.49	7.5	0.00	Apr 4, 2025	The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-31910	Reputeinfosystems Bookingpress	Hig	0.49	7.6	0.00	Apr 1, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems BookingPress bookingpress-appointment-booking allows SQL Injection.This issue affects BookingPress: from n/a through <= 1.1.28.
CVE-2025-31099	WordPress Slider Bws	Hig	0.49	7.6	0.00	Mar 28, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestweblayout Slider by BestWebSoft slider-bws allows SQL Injection.This issue affects Slider by BestWebSoft: from n/a through <= 1.1.0.
CVE-2025-22652	WordPress Payment Forms For Paystack	Hig	0.49	7.6	0.01	Mar 27, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack payment-forms-for-paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through <= 4.0.1.
CVE-2025-30921	—	Hig	0.49	7.6	0.00	Mar 27, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Software Newsletters newsletters-lite allows SQL Injection.This issue affects Newsletters: from n/a through <= 4.9.9.7.
CVE-2025-30879	WordPress Smart Wishlist For More Convert	Hig	0.49	7.6	0.00	Mar 27, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moreconvert Team MC Woocommerce Wishlist smart-wishlist-for-more-convert allows SQL Injection.This issue affects MC Woocommerce Wishlist: from n/a through <= 1.8.9.

CVE-2025-26908HigApr 15, 2025
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gurmehub Kargo Entegratör kargo-entegrator allows SQL Injection.This issue affects Kargo Entegratör: from n/a through <= 1.1.14.
CVE-2025-32128HigApr 10, 2025
WordPress
Nearby Locations
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in aaronfrey Nearby Locations nearby-locations allows SQL Injection.This issue affects Nearby Locations: from n/a through <= 1.1.1.
CVE-2025-32685HigApr 9, 2025
WordPress
Wp Inquiries
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries wp-inquiries allows SQL Injection.This issue affects WP Inquiries: from n/a through <= 0.2.1.
CVE-2025-32677HigApr 9, 2025
WordPress
Social Stream Design
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in solwininfotech WP Social Stream Designer social-stream-design allows Blind SQL Injection.This issue affects WP Social Stream Designer: from n/a through <= 1.3.
CVE-2025-32676HigApr 9, 2025
WordPress
Verowa Connect
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Picture-Planet GmbH Verowa Connect verowa-connect allows Blind SQL Injection.This issue affects Verowa Connect: from n/a through <= 3.0.5.
CVE-2025-32204HigApr 4, 2025
WordPress
Split Test For Elementor
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in rocketelements Split Test For Elementor split-test-for-elementor allows SQL Injection.This issue affects Split Test For Elementor: from n/a through <= 1.8.3.
CVE-2025-32203HigApr 4, 2025
WordPress
Falling Things
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in manu225 Falling things falling-things allows SQL Injection.This issue affects Falling things: from n/a through <= 1.08.
CVE-2025-32127HigApr 4, 2025
WordPress
Onoffice For Wp Websites
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in onOffice GmbH onOffice for WP-Websites onoffice-for-wp-websites allows SQL Injection.This issue affects onOffice for WP-Websites: from n/a through <= 5.7.
CVE-2025-32126HigApr 4, 2025
WordPress
Pay With Contact Form 7
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cmsMinds Pay with Contact Form 7 pay-with-contact-form-7 allows SQL Injection.This issue affects Pay with Contact Form 7: from n/a through <= 1.0.4.
CVE-2025-32125HigApr 4, 2025
WordPress
Silvasoft Boekhouden
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silvasoft Silvasoft boekhouden silvasoft-boekhouden allows SQL Injection.This issue affects Silvasoft boekhouden: from n/a through <= 3.0.6.
CVE-2025-32124HigApr 4, 2025
WordPress
Portfolio Manager Powered By Behance
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Blind SQL Injection.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.
CVE-2025-32122HigApr 4, 2025
WordPress
Ulisting
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.This issue affects uListing: from n/a through <= 2.2.0.
CVE-2025-32121HigApr 4, 2025
WordPress
Gallery For Ultimate Member
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows SQL Injection.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through <= 1.1.3.
CVE-2025-32120HigApr 4, 2025
WordPress
Easy Query
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in edanzer Easy Query – WP Query Builder easy-query allows Blind SQL Injection.This issue affects Easy Query – WP Query Builder: from n/a through <= 2.0.4.
CVE-2025-2317HigApr 4, 2025
WordPress
Woo Product Filter
risk 0.49cvss 7.5epss 0.00
The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-31910HigApr 1, 2025
Reputeinfosystems
Bookingpress
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems BookingPress bookingpress-appointment-booking allows SQL Injection.This issue affects BookingPress: from n/a through <= 1.1.28.
CVE-2025-31099HigMar 28, 2025
WordPress
Slider Bws
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestweblayout Slider by BestWebSoft slider-bws allows SQL Injection.This issue affects Slider by BestWebSoft: from n/a through <= 1.1.0.
CVE-2025-22652HigMar 27, 2025
WordPress
Payment Forms For Paystack
risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack payment-forms-for-paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through <= 4.0.1.
CVE-2025-30921HigMar 27, 2025
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Software Newsletters newsletters-lite allows SQL Injection.This issue affects Newsletters: from n/a through <= 4.9.9.7.
CVE-2025-30879HigMar 27, 2025
WordPress
Smart Wishlist For More Convert
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moreconvert Team MC Woocommerce Wishlist smart-wishlist-for-more-convert allows SQL Injection.This issue affects MC Woocommerce Wishlist: from n/a through <= 1.8.9.