Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQLi
PHP
Simply Blog
NVD
GitHub
CVSS 3.0
7.5
EPSS
1.1%