WordPress Documentor plugin <= 1.5.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Documentor plugin versions = 1.5.3. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...

Master Elements <= 8.0 - Unauthenticated SQLi

The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL Injection As unauthenticated:...

CVE-2022-0784

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0747

The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection...

CVE-2022-0694

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0694 Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0169

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0658

CVE-2022-0658 affects the CommonsBooking WordPress plugin prior to version 2.6.8. The vulnerability arises because the plugin does not sanitize/escape the location parameter of the calendar_data AJAX action, which is accessible to unauthenticated users, before building dynamic SQL queries. This l...

WordPress NotificationX plugin <= 2.3.11 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by mikemyers in WordPress NotificationX plugin versions = 2.3.11. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.12...

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC 1. Install the vulnerable plugin...

PT-2022-15683 · Cybonet · Pineapp Mail Relay

Name of the Vulnerable Software and Affected Versions: Cybonet - PineApp Mail Relay affected versions not specified Description: The issue concerns an unauthenticated SQL injection vulnerability. An attacker can send a request to specific API endpoints, such as...

WordPress 5 Stars Rating Funnel plugin <= 1.2.49 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress 5 Stars Rating Funnel plugin versions = 1.2.49. Solution Update the WordPress 5 Stars Rating Funnel plugin to the latest available version at least 1.2.50...

CVE-2021-44779

Unauthenticated SQL Injection SQLi vulnerability discovered in GWA AutoResponder WordPress plugin versions = 2.3, vulnerable at &listid. No patched version available, plugin closed...

Sql injection

Unauthenticated SQL Injection SQLi vulnerability discovered in GWA AutoResponder WordPress plugin versions = 2.3, vulnerable at &listid. No patched version available, plugin closed...

CVE-2021-44779

CVE-2021-44779 affects the WordPress plugin GWA AutoResponder (versions

CVE-2021-24949 The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection...

PT-2021-16381 · WordPress · Modern Events Calendar Lite

Name of the Vulnerable Software and Affected Versions: The Modern Events Calendar Lite WordPress plugin versions prior to 6.1.5 Description: The issue is related to an unauthenticated SQL injection problem. It occurs because the time parameter is not properly sanitised and escaped before being us...

WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability

Unauthenticated SQL injection SQLi vulnerability discovered by Dave Jong Patchstack in WordPress Hide My WP premium plugin versions = 6.2.3. Solution Update the WordPress Hide My WP premium plugin to the latest available version at least 6.2.4...

WordPress WCFM Marketplace plugin <= 3.4.11 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by JrXnm in WordPress WCFM Marketplace plugin versions = 3.4.11. Solution Update the WordPress WCFM Marketplace plugin to the latest available version at least 3.4.12...

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users...