Lucene search
K

340 matches found

NVD
NVD
added last week8 views

CVE-2026-13357

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepareitems method...

4.9CVSS0.00288EPSS
Exploits0References6
EUVD
EUVD
added last week9 views

EUVD-2026-41246

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepareitems method...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References6
Cvelist
Cvelist
added last week37 views

CVE-2026-13357 Houzez Property Feed <= 2.5.46 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepareitems method...

4.9CVSS0.00288EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-13357

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepareitems method...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References7
CVE
CVE
added last week15 views

CVE-2026-13357

The Houzez Property Feed WordPress plugin (up to version 2.5.46) is vulnerable to SQL Injection via the 'orderby' parameter. The issue stems from user-controlled $_GET['orderby'] and $_GET['order'] being filtered only with sanitize_text_field() and concatenated into the SQL format string before $...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/25 3:42 a.m.5 views

EUVD-2026-39165

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ’orderby’ parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

6.5CVSS6AI score0.00224EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 3:42 a.m.17 views

CVE-2026-12079

The CVE-2026-12079 entry concerns the Dokan Pro WordPress plugin. A time‑based SQL Injection exists via the 'orderby' parameter in all versions up to 5.0.4, caused by insufficient escaping of the user‑supplied value and inadequate SQL query preparation. Authenticated users with Subscriber‑level a...

6.5CVSS6AI score0.00224EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 3:42 a.m.35 views

CVE-2026-12079 Dokan Pro <= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ’orderby’ parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

6.5CVSS0.00224EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 6:0 a.m.40 views

CVE-2026-7842 Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

0.00231EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 6:0 a.m.13 views

CVE-2026-7842

The CVE concerns the Infility Global WordPress plugin for WordPress (before 2.15.20). In admin callbacks import_list(), url_detail(), and file_detail(), the plugin does not sanitize or validate the orderby and order parameters before using them in SQL queries, enabling time-based blind SQL inject...

6.8CVSS5.9AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 12:45 a.m.41 views

CVE-2026-11473 jflyfox jfinal_cms AdvicefeedbackController.java list sql injection

A vulnerability was identified in jflyfox jfinalcms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through a...

6.5CVSS0.00204EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/08 12:45 a.m.14 views

EUVD-2026-35004

A vulnerability was identified in jflyfox jfinalcms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through a...

6.5CVSS6.5AI score0.00204EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.11 views

CVE-2026-7472

The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of escsql without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit and...

4.9CVSS5.9AI score0.00448EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.10 views

CVE-2026-7618

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.7AI score0.00294EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.11 views

CVE-2026-8685

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS5.7AI score0.00359EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 7:46 a.m.7 views

CVE-2026-10039

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

4.9CVSS6AI score0.00288EPSS
Exploits0References7
CVE
CVE
added 2026/05/29 7:46 a.m.25 views

CVE-2026-10039

The CVE-2026-10039 entry concerns the WordPress plugin Frontend Admin by DynamiApps. Affected versions up to and including 3.28.28 are vulnerable to a generic SQL Injection via the 'order' parameter due to insufficient escaping of user input and inadequate preparation of the existing SQL query. A...

4.9CVSS6AI score0.00288EPSS
Exploits0References6
CVE
CVE
added 2026/05/27 6:46 a.m.19 views

CVE-2026-7618

The CVE-2026-7618 vulnerability affects the WordPress plugin EnvíaloSimple: Email Marketing y Newsletters (

4.9CVSS5.9AI score0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.33 views

CVE-2026-7618 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS0.00294EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.8 views

CVE-2026-7618

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00294EPSS
Exploits0References8
Rows per page
Query Builder