NetMRI Unauthenticated SQL Injection via skipjackUsername

An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur. id: CVE-2025-32814 info: name: NetMRI Unauthenticated SQL Injection via skipjackUsername author: iamnoooob,pdresearch severity: critical description: | An issue was discovered in Infoblox NETMRI befo...

WordPress JS Archive List <= 6.1.5 - SQL Injection

Miguel Useche JS Archive List contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input. id: CVE-2025-54726 info: name: WordPress JS Archive List = 6.1.5 - SQL Injection author:...

JS Help Desk <= 2.8.1 - SQL Injection

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...

Hongjing e-HR 2020 - SQL Injection

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /wselfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument...

Prestashop posstaticfooter <= 1.0.0 - SQL Injection

Prestashop posstaticfooter = 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook. id: CVE-2023-30194 info: name: Prestashop posstaticfooter = 1.0.0 - SQL Injection author: daffainfo severity: critical description: | Prestashop posstaticfooter = 1.0.0 is vulnerable to SQL...

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

Team WordPress plugin = 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands. id: CVE-2025-14124 info: name: Team WordPress Plugin TLP Team = 5.0.9...

Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection

WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead...

Emlog 2.1.9 - SQL Injection

emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files. id: CVE-2023-39121 info: name: Emlog 2.1.9 - SQL Injection author: wjch611 severity: high description: |...

WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection

ChatBot plugin for WordPress up to 4.8.9 contains a sqlinjection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication. id: CVE-2023-5204 info: name: WordPress AI ChatBot WPBot ...

Bloofox v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit. id: CVE-2023-34754 info: name: Bloofox v0.5.2.1 - SQL Injection author: ritikchaddha severity: critical description: | bloofox v0.5.2.1 was...

Quiz and Survey Master <= 8.1.4 - SQL Injection

ExpressTech Quiz And Survey Master versions up to 8.1.4 contains an SQL injection caused by improper neutralization of special elements used in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires user interaction. id: CVE-2023-28787 info: name: Quiz and Survey Master =...

Jeecg-Boot v3.5.1 - SQL Injection

SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData in jeecg-boot v3.5.1. id: CVE-2023-38992 info: name: Jeecg-Boot v3.5.1 - SQL Injection author: ritikchaddha severity: critical description: | SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData...

WordPress JobWP Plugin <= 2.3.9 - SQL Injection

The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwpuploadresume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

PrestaShop Theme Volty CMS Blog - SQL Injection

In the module 'Theme Volty CMS Blog' tvcmsblog up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. id: CVE-2023-39650 info: name: PrestaShop Theme Volty CMS Blog - SQL Injection author: mastercho severity: critical description: | In the...

MOVEit Transfer - Remote Code Execution

In Progress MOVEit Transfer before 2021.0.6 13.0.6, 2021.1.4 13.1.4, 2022.0.4 14.0.4, 2022.1.5 14.1.5, and 2023.0.1 15.0.1, a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database...

Leantime < 2.4 - Authenticated SQL Injection

Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...

Gogs (Go Git Service) - SQL Injection

Multiple SQL injection vulnerabilities in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to 1 api/v1/repos/search, which is not properly handled in models/repo.go, or 2 api/v1/users/search, which is...

WordPress Newsletters <= 4.13 - Unauthenticated SQL Injection

Newsletters WordPress plugin = 4.13 contains a time-based SQL injection caused by insufficient escaping of the 'wpmlsubscriberid' parameter, letting unauthenticated attackers extract sensitive database information. id: CVE-2026-3018 info: name: WordPress Newsletters = 4.13 - Unauthenticated SQL...

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...