CVE-2022-1453 RSVPMaker <= 9.2.5 - Unauthenticated SQL Injection

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from t...

CVE-2022-0771

The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions available to both unauthenticated and authenticated users, leading to Unauthenticated SQL Injections...

Nirweb support < 2.8.2 - Unauthenticated SQLi

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticket&idform=1 UNION ALL SELECT NULL,NULL,SELECT userpa...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0782

CVE-2022-0782 affects the WordPress Donations plugin (versions up to 1.8). The root cause is improper sanitisation/escaping of the nd_donations_id parameter, which is used unsafely in an SQL statement inside the unauthenticated AJAX action nd_donations_single_cause_form_validate_fields_php_functi...

WordPress Order Listener for WooCommerce plugin <= 3.2.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Order Listener for WooCommerce plugin versions = 3.2.1. Solution Update the WordPress Order Listener for WooCommerce plugin to the latest available version at least 3.2.2...

WordPress Documentor plugin <= 1.5.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Documentor plugin versions = 1.5.3. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...

Master Elements <= 8.0 - Unauthenticated SQLi

The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL Injection As unauthenticated:...

CVE-2022-0784

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0694

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0747

The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection...

CVE-2022-0694 Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0169

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0658

CVE-2022-0658 affects the CommonsBooking WordPress plugin prior to version 2.6.8. The vulnerability arises because the plugin does not sanitize/escape the location parameter of the calendar_data AJAX action, which is accessible to unauthenticated users, before building dynamic SQL queries. This l...

WordPress NotificationX plugin <= 2.3.11 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by mikemyers in WordPress NotificationX plugin versions = 2.3.11. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.12...

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC 1. Install the vulnerable plugin...

PT-2022-15683 · Cybonet · Pineapp Mail Relay

Name of the Vulnerable Software and Affected Versions: Cybonet - PineApp Mail Relay affected versions not specified Description: The issue concerns an unauthenticated SQL injection vulnerability. An attacker can send a request to specific API endpoints, such as...

WordPress 5 Stars Rating Funnel plugin <= 1.2.49 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress 5 Stars Rating Funnel plugin versions = 1.2.49. Solution Update the WordPress 5 Stars Rating Funnel plugin to the latest available version at least 1.2.50...

CVE-2021-44779

Unauthenticated SQL Injection SQLi vulnerability discovered in GWA AutoResponder WordPress plugin versions = 2.3, vulnerable at &listid. No patched version available, plugin closed...