CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,848)

page 99 of 443

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-22533	WordPress Wooexim	Hig	0.49	7.6	0.00	Jan 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bulktheme WOOEXIM wooexim allows SQL Injection.This issue affects WOOEXIM: from n/a through <= 5.0.0.
CVE-2025-22507	WordPress Wpmu Prefill Post	Hig	0.49	7.6	0.00	Jan 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in iDo8p WPMU Prefill Post wpmu-prefill-post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through <= 1.02.
CVE-2025-22502	WordPress Mindvalley Pagemash	Hig	0.49	7.6	0.00	Jan 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mindvalley MindValley Super PageMash mindvalley-pagemash allows SQL Injection.This issue affects MindValley Super PageMash: from n/a through <= 1.1.
CVE-2025-22351	WordPress Advanced Cf7 Database	Hig	0.49	7.6	0.00	Jan 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in penguinarts Contact Form 7 Database – CFDB7 advanced-cf7-database allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through <= 1.0.0.
CVE-2025-22349	WordPress Wp Auctions	Hig	0.49	7.6	0.00	Jan 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through <= 3.7.
CVE-2024-12416	WordPress Woomotiv	Hig	0.49	7.5	0.01	Jan 7, 2025	The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-56250	WordPress Just Writing Statistics	Hig	0.49	7.6	0.00	Jan 2, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Greg Ross Just Writing Statistics just-writing-statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through <= 4.7.
CVE-2024-56247	Afthemes Wp Post Author	Hig	0.49	7.6	0.00	Jan 2, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AF themes WP Post Author wp-post-author allows SQL Injection.This issue affects WP Post Author: from n/a through <= 3.8.2.
CVE-2024-12428	WordPress Wp Data Access	Hig	0.49	7.5	0.01	Dec 25, 2024	The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-56053	Vibethemes Wordpress Learning Management System	Hig	0.49	7.6	0.00	Dec 18, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS wplms_plugin allows SQL Injection.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
CVE-2024-11912	WordPress Travel Booking	Hig	0.49	7.5	0.01	Dec 18, 2024	The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘order_id’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-54284	WordPress Seedprod Coming Soon Pro 5	Hig	0.49	7.6	0.00	Dec 16, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.
CVE-2024-54283	WordPress Seedprod Coming Soon Pro 5	Hig	0.49	7.6	0.00	Dec 16, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.
CVE-2024-55990	WordPress Cf7 Mollie	Hig	0.49	7.6	0.00	Dec 16, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tsjippy Mollie for Contact Form 7 cf7-mollie allows Blind SQL Injection.This issue affects Mollie for Contact Form 7: from n/a through <= 5.0.0.
CVE-2024-55989	WordPress Stripe Manager	Hig	0.49	7.6	0.00	Dec 16, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kyle M Brown WP Simple Pay Lite Manager stripe-manager allows SQL Injection.This issue affects WP Simple Pay Lite Manager: from n/a through <= 1.4.
CVE-2024-53817	WordPress Aco Product Labels For Woocommerce	Hig	0.49	7.6	0.00	Dec 6, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Product Labels For Woocommerce aco-product-labels-for-woocommerce allows Blind SQL Injection.This issue affects Product Labels For Woocommerce: from n/a through <= 1.5.8.
CVE-2024-11460	WordPress Verowa Connect	Hig	0.49	7.5	0.01	Dec 6, 2024	The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the 'search_string' parameter in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-53783	WordPress Ni Woocommerce Cost Of Goods	Hig	0.49	7.6	0.00	Nov 30, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods ni-woocommerce-cost-of-goods.This issue affects Ni WooCommerce Cost Of Goods: from n/a through <= 3.2.8.
CVE-2024-10570	WordPress Security Malware Firewall	Hig	0.49	7.5	0.00	Nov 26, 2024	The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-7026	—	Hig	0.49	7.5	0.00	Nov 21, 2024	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknogis Informatics Closed Circuit Vehicle Tracking Software allows SQL Injection, Blind SQL Injection.This issue affects Closed Circuit Vehicle Tracking Software: through 21.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-22533HigJan 7, 2025
WordPress
Wooexim
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bulktheme WOOEXIM wooexim allows SQL Injection.This issue affects WOOEXIM: from n/a through <= 5.0.0.
CVE-2025-22507HigJan 7, 2025
WordPress
Wpmu Prefill Post
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in iDo8p WPMU Prefill Post wpmu-prefill-post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through <= 1.02.
CVE-2025-22502HigJan 7, 2025
WordPress
Mindvalley Pagemash
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mindvalley MindValley Super PageMash mindvalley-pagemash allows SQL Injection.This issue affects MindValley Super PageMash: from n/a through <= 1.1.
CVE-2025-22351HigJan 7, 2025
WordPress
Advanced Cf7 Database
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in penguinarts Contact Form 7 Database – CFDB7 advanced-cf7-database allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through <= 1.0.0.
CVE-2025-22349HigJan 7, 2025
WordPress
Wp Auctions
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through <= 3.7.
CVE-2024-12416HigJan 7, 2025
WordPress
Woomotiv
risk 0.49cvss 7.5epss 0.01
The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-56250HigJan 2, 2025
WordPress
Just Writing Statistics
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Greg Ross Just Writing Statistics just-writing-statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through <= 4.7.
CVE-2024-56247HigJan 2, 2025
Afthemes
Wp Post Author
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AF themes WP Post Author wp-post-author allows SQL Injection.This issue affects WP Post Author: from n/a through <= 3.8.2.
CVE-2024-12428HigDec 25, 2024
WordPress
Wp Data Access
risk 0.49cvss 7.5epss 0.01
The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-56053HigDec 18, 2024
Vibethemes
Wordpress Learning Management System
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS wplms_plugin allows SQL Injection.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
CVE-2024-11912HigDec 18, 2024
WordPress
Travel Booking
risk 0.49cvss 7.5epss 0.01
The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘order_id’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-54284HigDec 16, 2024
WordPress
Seedprod Coming Soon Pro 5
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.
CVE-2024-54283HigDec 16, 2024
WordPress
Seedprod Coming Soon Pro 5
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.
CVE-2024-55990HigDec 16, 2024
WordPress
Cf7 Mollie
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tsjippy Mollie for Contact Form 7 cf7-mollie allows Blind SQL Injection.This issue affects Mollie for Contact Form 7: from n/a through <= 5.0.0.
CVE-2024-55989HigDec 16, 2024
WordPress
Stripe Manager
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kyle M Brown WP Simple Pay Lite Manager stripe-manager allows SQL Injection.This issue affects WP Simple Pay Lite Manager: from n/a through <= 1.4.
CVE-2024-53817HigDec 6, 2024
WordPress
Aco Product Labels For Woocommerce
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Product Labels For Woocommerce aco-product-labels-for-woocommerce allows Blind SQL Injection.This issue affects Product Labels For Woocommerce: from n/a through <= 1.5.8.
CVE-2024-11460HigDec 6, 2024
WordPress
Verowa Connect
risk 0.49cvss 7.5epss 0.01
The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the 'search_string' parameter in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-53783HigNov 30, 2024
WordPress
Ni Woocommerce Cost Of Goods
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods ni-woocommerce-cost-of-goods.This issue affects Ni WooCommerce Cost Of Goods: from n/a through <= 3.2.8.
CVE-2024-10570HigNov 26, 2024
WordPress
Security Malware Firewall
risk 0.49cvss 7.5epss 0.00
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-7026HigNov 21, 2024
risk 0.49cvss 7.5epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknogis Informatics Closed Circuit Vehicle Tracking Software allows SQL Injection, Blind SQL Injection.This issue affects Closed Circuit Vehicle Tracking Software: through 21.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.