SQLi
Monthly
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Blind SQL injection in the David Lingren Media Library Assistant WordPress plugin (versions up to and including 3.35) allows authenticated low-privilege users to inject SQL via unsanitized input into a database query, with scope-changed impact reaching the underlying WordPress database. No public exploit identified at time of analysis, but the plugin's wide WordPress deployment footprint and the low privilege bar make this a meaningful risk for multi-author sites. Patchstack published the advisory; no fixed version is listed in the available data.
Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.
Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.
Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.
SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.
SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.
SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.
Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. The vulnerability was reported by Patchstack and impacts WordPress sites running this travel-booking block plugin in default configurations.
Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. No public exploit identified at time of analysis.
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
Blind SQL injection in VeronaLabs Slimstat Analytics WordPress plugin through version 5.4.11 allows authenticated low-privileged users to inject SQL commands via improperly neutralized input. The CVSS 8.5 score reflects scope change (S:C) impacting the broader WordPress database beyond the plugin context, with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but the WordPress plugin ecosystem and Patchstack reporting suggest discovery through standard SQLi testing.
Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.
Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. No public exploit identified at time of analysis, but the lack of authentication requirements makes this a high-priority patch target for any site running the affected versions.
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. No public exploit identified at time of analysis, but Patchstack-tracked WordPress plugin SQLi issues are commonly weaponized shortly after disclosure.
SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with JetEngine's wide deployment across Crocoblock-powered WordPress sites makes this a high-priority issue.
Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. No public exploit identified at time of analysis, but the trivial attack complexity and lack of authentication requirement make this a high-priority patching target for any WordPress site running the plugin.
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. No public exploit identified at time of analysis, but Patchstack has catalogued the issue, indicating vendor-side confirmation.
SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.
Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. The vulnerability was disclosed via Patchstack and affects a popular Crocoblock/JetImpex filtering plugin widely deployed on WordPress sites.
Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.
Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature of WordPress theme endpoints makes this a high-priority issue for any site running the affected theme.
SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.
SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.
SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.
Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. No public exploit identified at time of analysis, but Patchstack's disclosure and the unauthenticated network attack vector make this a high-priority issue for any site running the plugin.
Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NoSQL injection in n8n's MongoDB node (all versions prior to 2.24.0) enables authenticated users with workflow edit access to supply malicious filter values in the Find And Replace operation, causing MongoDB to match and overwrite documents far beyond the attacker's intended scope. The root cause is unsanitized user input being passed directly to MongoDB as a query filter without validation, and the scope change (S:C in CVSS) means the impact propagates from n8n itself into the connected MongoDB database layer. No public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for a valid n8n account with workflow editing permissions.
SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.
Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided in the input.
Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.
SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.
Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.
SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.
SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
Blind SQL injection in the David Lingren Media Library Assistant WordPress plugin (versions up to and including 3.35) allows authenticated low-privilege users to inject SQL via unsanitized input into a database query, with scope-changed impact reaching the underlying WordPress database. No public exploit identified at time of analysis, but the plugin's wide WordPress deployment footprint and the low privilege bar make this a meaningful risk for multi-author sites. Patchstack published the advisory; no fixed version is listed in the available data.
Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.
Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.
Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.
SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.
SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.
SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.
Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. The vulnerability was reported by Patchstack and impacts WordPress sites running this travel-booking block plugin in default configurations.
Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. No public exploit identified at time of analysis.
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
Blind SQL injection in VeronaLabs Slimstat Analytics WordPress plugin through version 5.4.11 allows authenticated low-privileged users to inject SQL commands via improperly neutralized input. The CVSS 8.5 score reflects scope change (S:C) impacting the broader WordPress database beyond the plugin context, with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but the WordPress plugin ecosystem and Patchstack reporting suggest discovery through standard SQLi testing.
Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.
Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. No public exploit identified at time of analysis, but the lack of authentication requirements makes this a high-priority patch target for any site running the affected versions.
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. No public exploit identified at time of analysis, but Patchstack-tracked WordPress plugin SQLi issues are commonly weaponized shortly after disclosure.
SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with JetEngine's wide deployment across Crocoblock-powered WordPress sites makes this a high-priority issue.
Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. No public exploit identified at time of analysis, but the trivial attack complexity and lack of authentication requirement make this a high-priority patching target for any WordPress site running the plugin.
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. No public exploit identified at time of analysis, but Patchstack has catalogued the issue, indicating vendor-side confirmation.
SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.
Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. The vulnerability was disclosed via Patchstack and affects a popular Crocoblock/JetImpex filtering plugin widely deployed on WordPress sites.
Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.
Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature of WordPress theme endpoints makes this a high-priority issue for any site running the affected theme.
SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.
SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.
SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.
Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. No public exploit identified at time of analysis, but Patchstack's disclosure and the unauthenticated network attack vector make this a high-priority issue for any site running the plugin.
Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NoSQL injection in n8n's MongoDB node (all versions prior to 2.24.0) enables authenticated users with workflow edit access to supply malicious filter values in the Find And Replace operation, causing MongoDB to match and overwrite documents far beyond the attacker's intended scope. The root cause is unsanitized user input being passed directly to MongoDB as a query filter without validation, and the scope change (S:C in CVSS) means the impact propagates from n8n itself into the connected MongoDB database layer. No public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for a valid n8n account with workflow editing permissions.
SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.
Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided in the input.
Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.
SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.
Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.
SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.
SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.