323 matches found
CVE-2022-0747
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection...
CVE-2022-0694 Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection...
CVE-2022-0169
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection...
CVE-2022-0658
CVE-2022-0658 affects the CommonsBooking WordPress plugin prior to version 2.6.8. The vulnerability arises because the plugin does not sanitize/escape the location parameter of the calendar_data AJAX action, which is accessible to unauthenticated users, before building dynamic SQL queries. This l...
WordPress NotificationX plugin <= 2.3.11 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by mikemyers in WordPress NotificationX plugin versions = 2.3.11. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.12...
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC 1. Install the vulnerable plugin...
PT-2022-15683 · Cybonet · Pineapp Mail Relay
Name of the Vulnerable Software and Affected Versions: Cybonet - PineApp Mail Relay affected versions not specified Description: The issue concerns an unauthenticated SQL injection vulnerability. An attacker can send a request to specific API endpoints, such as...
WordPress 5 Stars Rating Funnel plugin <= 1.2.49 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress 5 Stars Rating Funnel plugin versions = 1.2.49. Solution Update the WordPress 5 Stars Rating Funnel plugin to the latest available version at least 1.2.50...
CVE-2021-44779
Unauthenticated SQL Injection SQLi vulnerability discovered in GWA AutoResponder WordPress plugin versions = 2.3, vulnerable at &listid. No patched version available, plugin closed...
Sql injection
Unauthenticated SQL Injection SQLi vulnerability discovered in GWA AutoResponder WordPress plugin versions = 2.3, vulnerable at &listid. No patched version available, plugin closed...
CVE-2021-44779
CVE-2021-44779 affects the WordPress plugin GWA AutoResponder (versions
CVE-2021-24949 The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection...
PT-2021-16381 · WordPress · Modern Events Calendar Lite
Name of the Vulnerable Software and Affected Versions: The Modern Events Calendar Lite WordPress plugin versions prior to 6.1.5 Description: The issue is related to an unauthenticated SQL injection problem. It occurs because the time parameter is not properly sanitised and escaped before being us...
WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability
Unauthenticated SQL injection SQLi vulnerability discovered by Dave Jong Patchstack in WordPress Hide My WP premium plugin versions = 6.2.3. Solution Update the WordPress Hide My WP premium plugin to the latest available version at least 6.2.4...
WordPress WCFM Marketplace plugin <= 3.4.11 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by JrXnm in WordPress WCFM Marketplace plugin versions = 3.4.11. Solution Update the WordPress WCFM Marketplace plugin to the latest available version at least 3.4.12...
Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users...
CVE-2021-36880
Unauthenticated SQL Injection SQLi vulnerability in WordPress uListing plugin versions = 2.0.3, vulnerable parameter: custom...
Police Crime Record Management Project 1.0 - Time Based SQL injection Vulnerability
Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi Exploit Author: t//\1 Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html Tested on: Linux Version: 1.0 Exploit Description: The application is prone to an arbitrary...
Police Crime Record Management Project 1.0 - Time Based SQLi
Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi Exploit Author: t//\1 Date: 23/09/2021 Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html Tested on: Linux Version: 1.0 Exploit Description: The application is prone to an...
CVE-2021-24404 WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so ...