329 matches found
CVE
Vulnerability Report: Unauthenticated SQL Injection in Hospita...
WordPress Riaxe Product Customizer plugin <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data vulnerability
Unauthenticated SQL Injection via 'options' Parameter Keys in productdata vulnerability discovered by Kai Aizen in WordPress Plugin Riaxe Product Customizer versions = 2.1.2...
AVideo Unauthenticated SQL Injection Credential Dump
AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli run This module requires Metasploit:...
CVE-2026-33615
The CVE-2026-33615 entry concerns MB connect line mbCONNECT24 with an unauthenticated SQL injection in the setinfo endpoint. The issue arises from improper neutralization in a SQL UPDATE command, enabling an attacker with network access (no auth, no user interaction) to compromise integrity and a...
CVE-2026-33614 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2019-25643
CVE-2019-25643 affects eNdonesia Portal v8.7 and describes multiple SQL injection vulnerabilities in banners.php via the bid parameter. The flaws allow unauthenticated attackers to execute arbitrary SQL and exfiltrate information from INFORMATION_SCHEMA tables. The vulnerability is characterized ...
WordPress Quentn WP plugin <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie vulnerability
Unauthenticated SQL Injection via 'qntnwpaccess' Cookie vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Quentn WP versions = 1.2.12...
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but...
CVE-2026-33352
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but...
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but...
CVE-2026-3658 Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...
CVE-2026-28430 Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...
CVE-2026-28430
Chamilo LMS is affected by an unauthenticated SQL injection in the chamiko-lms model.ajax.php component prior to version 1.11.34, exploitable via the custom_dates parameter. Successful exploitation can lead to full administrative account takeover and access to the entire database (including PII a...
CVE-2026-3496 JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'checkindate' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
PT-2026-24548
Name of the Vulnerable Software and Affected Versions The Ally – Web Accessibility & Usability plugin for WordPress versions prior to 4.1.0 Description The Ally – Web Accessibility & Usability plugin for WordPress is susceptible to SQL Injection through the URL path. This occurs because of...
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a...
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a...
CVE-2026-28562
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::gettopics where the ORDER BY clause relies on ineffective escsql sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials...
CVE-2019-25456
Web Ofisi Emlak v2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'ara' GET parameter. Attackers can send requests to with time-based SQL injection payloads to extract sensitive database information or...
CVE-2025-13192
The CVE-2025-13192 entry describes a generic SQL Injection in the WordPress plugin “Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers” for versions up to 2.2.0. Root cause: insufficient escaping and inadequate query preparation on user-supplied par...