Skip to main content

SQLi

15159 CVEs technique

Monthly

CVE-2019-25753 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vmap
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25748 HIGH POC This Week

Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20282 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20281 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20280 HIGH POC This Week

Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20279 HIGH POC This Week

Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20278 HIGH POC This Week

Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20277 HIGH POC This Week

Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20276 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20275 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20274 HIGH POC This Week

Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20273 HIGH POC This Week

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20272 HIGH POC This Week

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20271 HIGH POC This Week

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20270 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20269 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20268 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2019-25752 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Businessdirectory
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25751 HIGH POC This Week

Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Classifiedsmanager
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25750 HIGH POC This Week

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Multiplehotelreservation
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25749 HIGH POC This Week

Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cruiseportal
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2017-20267 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Calendar Planner
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20266 HIGH POC This Week

Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Sp Movie Database
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20265 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Flip Wall
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2017-20264 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sponsor Wall
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2017-20263 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Focalpoint Pro Free
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20262 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ajax Quiz
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20261 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Bargain Product Vm3
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20260 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Price Alert
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20259 HIGH POC This Week

Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Osdownloads
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20258 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rpc
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20257 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Quiz Deluxe
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20256 HIGH POC This Week

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Survey Force Deluxe
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20255 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Jb Visa
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20254 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP User Bench
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20253 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi My Projects
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20252 HIGH POC This Week

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nextgen Editor
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-12045 CRITICAL PATCH Act Now

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.

PostgreSQL SQLi RCE Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.5%
CVE-2026-12050 MEDIUM PATCH This Month

{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.

PostgreSQL SQLi Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12044 HIGH PATCH This Week

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.

PostgreSQL Command Injection SQLi Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-56012 HIGH This Week

Blind SQL injection in the David Lingren Media Library Assistant WordPress plugin (versions up to and including 3.35) allows authenticated low-privilege users to inject SQL via unsanitized input into a database query, with scope-changed impact reaching the underlying WordPress database. No public exploit identified at time of analysis, but the plugin's wide WordPress deployment footprint and the low privilege bar make this a meaningful risk for multi-author sites. Patchstack published the advisory; no fixed version is listed in the available data.

SQLi
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-54222 HIGH This Week

Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.

SQLi Ubb Threads
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-40455 HIGH PATCH This Week

Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.

PHP SQLi Lms
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54419 CRITICAL Act Now

Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.

PHP SQLi Piaf Hms
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-55740 CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-10736 MEDIUM This Month

SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.

WordPress SQLi Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11360 MEDIUM This Month

SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi Advanced Order Export For Woocommerce
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11776 MEDIUM This Month

SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11777 MEDIUM This Month

SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-55405 Maven HIGH PATCH GHSA This Week

SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.

PostgreSQL SQLi Denial Of Service
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-35069 HIGH This Week

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Dell SQLi Powerflex
NVD VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-35068 MEDIUM This Month

SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.

Dell SQLi Information Disclosure Powerflex
NVD VulDB
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-54812 CRITICAL Act Now

Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.

SQLi Motors
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54809 CRITICAL Act Now

Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Gift4U
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54808 CRITICAL Act Now

Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. The vulnerability was reported by Patchstack and impacts WordPress sites running this travel-booking block plugin in default configurations.

SQLi Wp Travel Gutenberg Blocks
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54813 HIGH This Week

Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. No public exploit identified at time of analysis.

SQLi Suredash
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-54815 CRITICAL Act Now

Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.

WordPress SQLi Cargo Shipping Location For Woocommerce
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54818 HIGH This Week

Blind SQL injection in VeronaLabs Slimstat Analytics WordPress plugin through version 5.4.11 allows authenticated low-privileged users to inject SQL commands via improperly neutralized input. The CVSS 8.5 score reflects scope change (S:C) impacting the broader WordPress database beyond the plugin context, with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but the WordPress plugin ecosystem and Patchstack reporting suggest discovery through standard SQLi testing.

SQLi Slimstat Analytics
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-54819 CRITICAL Act Now

Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listdom
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-59554 CRITICAL Act Now

Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.

SQLi Advanced Ads Tracking
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-54811 CRITICAL Act Now

Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.

SQLi Wp Emember
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54187 CRITICAL Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. No public exploit identified at time of analysis, but the lack of authentication requirements makes this a high-priority patch target for any site running the affected versions.

SQLi Jetengine
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54186 CRITICAL Act Now

Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. No public exploit identified at time of analysis, but Patchstack-tracked WordPress plugin SQLi issues are commonly weaponized shortly after disclosure.

SQLi Jobsearch
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54185 HIGH PATCH This Week

SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Cornerstone
NVD VulDB
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-49084 CRITICAL PATCH Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with JetEngine's wide deployment across Crocoblock-powered WordPress sites makes this a high-priority issue.

SQLi Jetengine
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49079 CRITICAL Act Now

Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. No public exploit identified at time of analysis, but the trivial attack complexity and lack of authentication requirement make this a high-priority patching target for any WordPress site running the plugin.

SQLi Jetsearch
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49076 CRITICAL Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. No public exploit identified at time of analysis, but Patchstack has catalogued the issue, indicating vendor-side confirmation.

SQLi Jetengine
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-48967 HIGH This Week

SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.

SQLi Geo Mashup
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48875 CRITICAL Act Now

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. The vulnerability was disclosed via Patchstack and affects a popular Crocoblock/JetImpex filtering plugin widely deployed on WordPress sites.

SQLi Jetsmartfilters
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39596 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.

SQLi Blocksy Companion Pro
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-22340 CRITICAL Act Now

Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature of WordPress theme endpoints makes this a high-priority issue for any site running the affected theme.

SQLi Wpjobster
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-22335 HIGH PATCH This Week

SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.

WordPress SQLi Woocommerce Frontend Manager Ultimate
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-22332 CRITICAL Act Now

SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.

SQLi Tutor Lms Pro
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2025-69135 HIGH This Week

SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.

WordPress SQLi Events Schedule Wordpress Events Calendar Plugin
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-28576 CRITICAL Act Now

Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.

SQLi Information Disclosure
NVD VulDB
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-12360 HIGH This Week

Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.

WordPress SQLi Jetengine
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49073 HIGH This Week

Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Directorist Booking
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-49080 CRITICAL Act Now

SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. No public exploit identified at time of analysis, but Patchstack's disclosure and the unauthenticated network attack vector make this a high-priority issue for any site running the plugin.

SQLi Wpdatatables
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39438 CRITICAL Act Now

Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listingpro
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-54313 npm MEDIUM PATCH GHSA This Month

NoSQL injection in n8n's MongoDB node (all versions prior to 2.24.0) enables authenticated users with workflow edit access to supply malicious filter values in the Find And Replace operation, causing MongoDB to match and overwrite documents far beyond the attacker's intended scope. The root cause is unsanitized user input being passed directly to MongoDB as a query filter without validation, and the scope change (S:C in CVSS) means the impact propagates from n8n itself into the connected MongoDB database layer. No public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for a valid n8n account with workflow editing permissions.

SQLi
NVD GitHub VulDB
CVSS 4.0
6.5
EPSS
0.3%
CVE-2026-54310 npm MEDIUM PATCH GHSA This Month

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.

PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
6.5
EPSS
0.3%
CVE-2026-49772 CRITICAL Act Now

Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided in the input.

SQLi The Events Calendar
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-52715 CRITICAL Act Now

Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.

WordPress SQLi Geo My Wordpress
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-52712 HIGH This Week

SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Attendance Manager
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-39581 HIGH This Week

SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Wp Sessions Time Monitoring Full Automatic
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-39574 CRITICAL Act Now

Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.

SQLi Inpost Gallery
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-8444 HIGH This Week

Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress SQLi Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-8443 HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.

WordPress SQLi Oracle Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-52700 HIGH This Week

SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.

SQLi Wcmultishipping
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-52697 HIGH This Week

SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.

SQLi Taskbuilder
NVD
CVSS 3.1
8.5
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vmap
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Classifiedsmanager
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Multiplehotelreservation
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cruiseportal
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Calendar Planner
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Sp Movie Database
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Flip Wall
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sponsor Wall
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Focalpoint Pro Free
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ajax Quiz
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Bargain Product Vm3
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Price Alert
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Osdownloads
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rpc
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Quiz Deluxe
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Survey Force Deluxe
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Jb Visa
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP User Bench
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi My Projects
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nextgen Editor
NVD Exploit-DB
EPSS 1% CVSS 9.4
CRITICAL PATCH Act Now

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.

PostgreSQL SQLi RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.

PostgreSQL SQLi Pgadmin 4
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.

PostgreSQL Command Injection SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the David Lingren Media Library Assistant WordPress plugin (versions up to and including 3.35) allows authenticated low-privilege users to inject SQL via unsanitized input into a database query, with scope-changed impact reaching the underlying WordPress database. No public exploit identified at time of analysis, but the plugin's wide WordPress deployment footprint and the low privilege bar make this a meaningful risk for multi-author sites. Patchstack published the advisory; no fixed version is listed in the available data.

SQLi
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.

SQLi Ubb Threads
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.

PHP SQLi Lms
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.

PHP SQLi Piaf Hms
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.

WordPress SQLi Tutor Lms Elearning And Online Course Solution
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi Advanced Order Export For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.

PostgreSQL SQLi Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Dell SQLi Powerflex
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.

Dell SQLi Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.

SQLi Motors
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Gift4U
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. The vulnerability was reported by Patchstack and impacts WordPress sites running this travel-booking block plugin in default configurations.

SQLi Wp Travel Gutenberg Blocks
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. No public exploit identified at time of analysis.

SQLi Suredash
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.

WordPress SQLi Cargo Shipping Location For Woocommerce
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in VeronaLabs Slimstat Analytics WordPress plugin through version 5.4.11 allows authenticated low-privileged users to inject SQL commands via improperly neutralized input. The CVSS 8.5 score reflects scope change (S:C) impacting the broader WordPress database beyond the plugin context, with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but the WordPress plugin ecosystem and Patchstack reporting suggest discovery through standard SQLi testing.

SQLi Slimstat Analytics
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listdom
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.

SQLi Advanced Ads Tracking
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.

SQLi Wp Emember
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. No public exploit identified at time of analysis, but the lack of authentication requirements makes this a high-priority patch target for any site running the affected versions.

SQLi Jetengine
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. No public exploit identified at time of analysis, but Patchstack-tracked WordPress plugin SQLi issues are commonly weaponized shortly after disclosure.

SQLi Jobsearch
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Cornerstone
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with JetEngine's wide deployment across Crocoblock-powered WordPress sites makes this a high-priority issue.

SQLi Jetengine
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. No public exploit identified at time of analysis, but the trivial attack complexity and lack of authentication requirement make this a high-priority patching target for any WordPress site running the plugin.

SQLi Jetsearch
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. No public exploit identified at time of analysis, but Patchstack has catalogued the issue, indicating vendor-side confirmation.

SQLi Jetengine
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.

SQLi Geo Mashup
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. The vulnerability was disclosed via Patchstack and affects a popular Crocoblock/JetImpex filtering plugin widely deployed on WordPress sites.

SQLi Jetsmartfilters
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.

SQLi Blocksy Companion Pro
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature of WordPress theme endpoints makes this a high-priority issue for any site running the affected theme.

SQLi Wpjobster
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.

WordPress SQLi Woocommerce Frontend Manager Ultimate
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.

SQLi Tutor Lms Pro
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.

WordPress SQLi Events Schedule Wordpress Events Calendar Plugin
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.

SQLi Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.

WordPress SQLi Jetengine
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Directorist Booking
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. No public exploit identified at time of analysis, but Patchstack's disclosure and the unauthenticated network attack vector make this a high-priority issue for any site running the plugin.

SQLi Wpdatatables
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Listingpro
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

NoSQL injection in n8n's MongoDB node (all versions prior to 2.24.0) enables authenticated users with workflow edit access to supply malicious filter values in the Find And Replace operation, causing MongoDB to match and overwrite documents far beyond the attacker's intended scope. The root cause is unsanitized user input being passed directly to MongoDB as a query filter without validation, and the scope change (S:C in CVSS) means the impact propagates from n8n itself into the connected MongoDB database layer. No public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for a valid n8n account with workflow editing permissions.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inject and execute arbitrary SQL against the connected database, operating under the privileges of the configured database account. Affected versions span all n8n npm releases below 2.25.7 and the 2.26.0-2.26.1 range, with the CVSS 9.9 score reflecting a confirmed scope change: the injection escapes the n8n application layer into the underlying database system (S:C), enabling full confidentiality, integrity, and availability compromise of database contents. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low-privilege requirement and network-accessible attack vector make this a critical priority for any deployment where workflow editing access is broadly granted.

PostgreSQL SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided in the input.

SQLi The Events Calendar
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.

WordPress SQLi Geo My Wordpress
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Attendance Manager
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Wp Sessions Time Monitoring Full Automatic
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.

SQLi Inpost Gallery
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress SQLi Wpreviewslider Com
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.

WordPress SQLi Oracle +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.

SQLi Wcmultishipping
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.

SQLi Taskbuilder
NVD
Prev Page 5 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy