Monthly
SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.
Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.
SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.
SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.
SQL injection in H3C SecPath F1000-C8300 (firmware up to 20260522) allows unauthenticated remote attackers to manipulate database queries via the `subject` parameter in the `/webui/?g=log_fw_nbc_mail_jsondata` web management endpoint. The vendor has confirmed the vulnerability and acknowledged a planned fix, but no patch is released as of the disclosure date. A publicly available exploit exists (hosted on Feishu), lowering the bar for exploitation significantly despite the moderate CVSS 4.0 score of 5.5.
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.
SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.
{deptId}. The root cause is SqlparserUtils.transFilter() returning raw, unsanitized user input for operators other than 'in'/'between', which is then string-spliced into the dashboard query via SubstitutedSql.replace(). No public exploit identified at time of analysis and it is not in CISA KEV, but the vendor GHSA advisory, fixing commit, and 2.10.23 release confirm the flaw is real and patched.
Stored SQL injection in DataEase (open source data visualization/BI tool) versions prior to 2.10.23 allows an authenticated user who can define SQL-type datasets to persist malicious SQL through variable defaultValue entries, which later execute against the backend database whenever any user with dataset read permission opens the dataset. The flaw (CWE-89) enables reading and modifying arbitrary database data, and CVSS 4.0 rates it 8.7 (High). No public exploit has been identified at time of analysis, but the upstream fix commit is public, so exploitation prerequisites are well documented.
Arbitrary SQL read access in DataEase before 2.10.23 lets authenticated users abuse the SQL preview feature (/de2api/datasetData/previewSql) to run attacker-supplied queries against any configured datasource. Because DatasetDataManage.previewSql passes the decoded PreviewSqlDTO.sql straight into datasourceRequest.query and CalciteProvider.fetchResultField executes it via prepareStatement().executeQuery(), an attacker can read any table the datasource account can access and receive the rows in the preview response. No public exploit identified at time of analysis, but the fix commit and advisory are public, making the flaw easy to reverse-engineer.
SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.
Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.
SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.
SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.
SQL injection in H3C SecPath F1000-C8300 (firmware up to 20260522) allows unauthenticated remote attackers to manipulate database queries via the `subject` parameter in the `/webui/?g=log_fw_nbc_mail_jsondata` web management endpoint. The vendor has confirmed the vulnerability and acknowledged a planned fix, but no patch is released as of the disclosure date. A publicly available exploit exists (hosted on Feishu), lowering the bar for exploitation significantly despite the moderate CVSS 4.0 score of 5.5.
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.
SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.
{deptId}. The root cause is SqlparserUtils.transFilter() returning raw, unsanitized user input for operators other than 'in'/'between', which is then string-spliced into the dashboard query via SubstitutedSql.replace(). No public exploit identified at time of analysis and it is not in CISA KEV, but the vendor GHSA advisory, fixing commit, and 2.10.23 release confirm the flaw is real and patched.
Stored SQL injection in DataEase (open source data visualization/BI tool) versions prior to 2.10.23 allows an authenticated user who can define SQL-type datasets to persist malicious SQL through variable defaultValue entries, which later execute against the backend database whenever any user with dataset read permission opens the dataset. The flaw (CWE-89) enables reading and modifying arbitrary database data, and CVSS 4.0 rates it 8.7 (High). No public exploit has been identified at time of analysis, but the upstream fix commit is public, so exploitation prerequisites are well documented.
Arbitrary SQL read access in DataEase before 2.10.23 lets authenticated users abuse the SQL preview feature (/de2api/datasetData/previewSql) to run attacker-supplied queries against any configured datasource. Because DatasetDataManage.previewSql passes the decoded PreviewSqlDTO.sql straight into datasourceRequest.query and CalciteProvider.fetchResultField executes it via prepareStatement().executeQuery(), an attacker can read any table the datasource account can access and receive the rows in the preview response. No public exploit identified at time of analysis, but the fix commit and advisory are public, making the flaw easy to reverse-engineer.