PT-2025-37021

Name of the Vulnerable Software and Affected Versions: Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net versions prior to 1.117.6 Description: The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for...

PT-2025-37015

Name of the Vulnerable Software and Affected Versions: Duplicate Page and Post plugin for WordPress versions prior to 2.9.5 Description: The Duplicate Page and Post plugin for WordPress is susceptible to time-based SQL Injection via the meta key parameter. Insufficient escaping of user-supplied...

CVE-2025-10046

The ELEX WooCommerce Google Shopping Google Product Feed plugin for WordPress is vulnerable to SQL Injection via the 'filetodelete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2025-10046

The ELEX WooCommerce Google Shopping Google Product Feed plugin for WordPress is vulnerable to SQL Injection via the 'filetodelete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2025-9085

The User Registration & Membership plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in version 4.3.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

CVE-2025-10003

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uploadfileremove’ function and 'htmlvar' parameter in all versions up to, and including, 1.2.44 due to insufficient...

PT-2025-36351

Name of the Vulnerable Software and Affected Versions: User Registration & Membership plugin for WordPress version 4.3.0 Description: The User Registration & Membership plugin for WordPress is susceptible to SQL Injection via the s parameter. This is due to insufficient escaping of user-supplied...

CVE-2025-9822

CVE-2025-9822 affects mautic (core/lib related), describing an improper access control that allows an administrator to modify configuration and extract secrets (e.g., database credentials) via the elfinder component. The issue is documented across multiple sources (GitHub advisory GHSA-438M-6MHW-...

CVE-2025-9441

The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2025-50972

SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmplid parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP, and...

CVE-2025-8977

CVE-2025-8977 details (WordPress) The Simple Download Monitor plugin for WordPress is affected by a time-based SQL Injection via the order parameter in the Log Export functionality, in all versions up to and including 3.9.33. The root cause is insufficient escaping of user-supplied input and inad...

CVE-2025-50984

diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ESPASS, ESMAXSIZE, ESTRANSLOGSIZE, ESTIMEOUT, ESUSER, ESHOST, ESPORT, ESSCROLLSIZE, ESCHUNKSIZE and...

CVE-2025-50972

SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmplid parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP, and...

CVE-2025-50984

Diskover-web v2.3.0 Community Edition is affected by multiple boolean-based blind SQL injection flaws in the Elasticsearch configuration form. Untrusted input in POST fields (e.g., ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE) can inject...

CVE-2025-50972

SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmplid parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP, and...

CVE-2025-9172 Vibes <= 2.2.0 - Unauthenticated SQL Injection via `resource` Parameter

The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2025-7662 Gestion de tarifs <= 1.4 - Authenticated (Contributor+) SQL Injection

The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2025-6184

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the getsubmittedassignments function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter an...

PHPGurukul Hospital Management System 安全漏洞

Hospital Management System is a PHP and MySQL based hospital management system. Hospital Management System suffers from a SQL injection vulnerability that originates from the lack of validation of externally entered SQL statements in the parameter docfees in the file /admin/edit-doctor.php. An...

CVE-2025-55280

CVE-2025-55280 (ZKTeco WL20) : The device stores Wi‑Fi credentials, configuration data, and system data in plaintext inside its firmware. An attacker with physical access could extract the firmware, reverse‑engineer binaries, and read the sensitive data, potentially gaining unauthorized network a...