Skip to main content

CWE-89

SQL Injection

12049 CVEs Avg CVSS 8.1 MITRE
4271
CRITICAL
5139
HIGH
2320
MEDIUM
303
LOW
6762
POC
24
KEV

Monthly

CVE-2026-15727 MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD
CVSS 3.1
4.9
CVE-2026-58078 HIGH This Week

SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a third-party disclosure write-up exists on mysites.guru.

SQLi Quix Page Builder Pro Extension For Joomla
NVD
CVSS 4.0
8.7
CVE-2026-15651 MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
CVSS 3.1
4.9
CVE-2026-15022 MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
6.5
CVE-2026-13754 MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.5
CVE-2026-13767 MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
CVSS 3.1
6.5
CVE-2026-15458 MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
CVE-2026-15445 MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
CVE-2026-12941 MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
CVSS 3.1
6.5
CVE-2026-12753 HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB
CVSS 3.1
7.5
CVSS 4.9
MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD
CVSS 8.7
HIGH This Week

SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a third-party disclosure write-up exists on mysites.guru.

SQLi Quix Page Builder Pro Extension For Joomla
NVD
CVSS 4.9
MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
CVSS 6.5
MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
CVSS 6.5
MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
CVSS 6.5
MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
CVSS 4.9
MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
CVSS 4.9
MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
CVSS 6.5
MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
CVSS 7.5
HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy