Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-31212

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-31 Oct, 2023 | 14:04
Updated At-28 Apr, 2026 | 16:08
Rejected At-
Credits

WordPress Contact Form Entries Plugin <= 1.3.0 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Database for Contact Form 7, WPforms, Elementor forms contact-form-entries allows SQL Injection.This issue affects Database for Contact Form 7, WPforms, Elementor forms: from n/a through 1.3.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:31 Oct, 2023 | 14:04
Updated At:28 Apr, 2026 | 16:08
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Contact Form Entries Plugin <= 1.3.0 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Database for Contact Form 7, WPforms, Elementor forms contact-form-entries allows SQL Injection.This issue affects Database for Contact Form 7, WPforms, Elementor forms: from n/a through 1.3.0.

Affected Products
Vendor
CRM Perks
Product
Database for Contact Form 7, WPforms, Elementor forms
Collection URL
https://wordpress.org/plugins
Package Name
contact-form-entries
Default Status
unaffected
Versions
Affected
  • From n/a through 1.3.0 (custom)
    • -> unaffectedfrom1.3.1
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66 SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66 SQL Injection
Solutions

Update to 1.3.1 or a higher version.

Configurations

Workarounds

Exploits

Credits

finder
Rafie Muhammad (Patchstack)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
Resource:
vdb-entry
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
crmperks
Product
database_for_contact_form_7\,_wpforms\,_elementor_forms
CPEs
  • cpe:2.3:a:crmperks:database_for_contact_form_7\,_wpforms\,_elementor_forms:*:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.3.0 (custom)
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:31 Oct, 2023 | 15:15
Updated At:28 Apr, 2026 | 13:16

A vulnerability in CRM Perks Contact Form Entries contact-form-entries.This issue affects Contact Form Entries: from n/a through <= 1.3.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.5HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

crmperks
crmperks
>>database_for_contact_form_7\,_wpforms\,_elementor_forms>>Versions up to 1.3.0(inclusive)
cpe:2.3:a:crmperks:database_for_contact_form_7\,_wpforms\,_elementor_forms:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Secondaryaudit@patchstack.com
CWE ID: CWE-89
Type: Secondary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Plugin/contact-form-entries/vulnerability/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cveaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cveaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/contact-form-entries/vulnerability/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability?_s_id=cve
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

6440Records found

CVE-2024-30499
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.58% / 43.31%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 14:01
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Perks Forms plugin <= 1.1.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.

Action-Not Available
Vendor-crmperksCRM Perks
Product-crm_perks_formsCRM Perks Forms
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9691
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.69%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.

Action-Not Available
Vendor-CRM Perks
Product-Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49763
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-15 Jun, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Contact Form 7 HubSpot
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49765
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-16 Jun, 2026 | 12:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49106
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-16 Jun, 2026 | 12:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Contact Form 7 and Constant Contact
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49104
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.69%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-16 Jun, 2026 | 12:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49085
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.69%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-16 Jun, 2026 | 01:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Action-Not Available
Vendor-CRM Perks
Product-WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-49105
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 37.69%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-15 Jun, 2026 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Action-Not Available
Vendor-CRM Perks
Product-WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-2599
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.52% / 40.25%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 12:26
Updated-22 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Action-Not Available
Vendor-crmperks
Product-Database for Contact Form 7, WPforms, Elementor forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60180
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Salesforce plugin <= 1.5.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_salesforceWP Gravity Forms Salesforce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60209
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 40.82%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Connector for Gravity Forms and Google Sheets plugin <= 1.2.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.

Action-Not Available
Vendor-CRM Perks
Product-Connector for Gravity Forms and Google Sheets
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60091
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Zoho CRM and Bigin plugin <= 1.2.9 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_zoho_crm_and_biginWP Gravity Forms Zoho CRM and Bigin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60090
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Insightly plugin <= 1.1.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_insightlyWP Gravity Forms Insightly
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-7697
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.05% / 60.25%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 04:23
Updated-08 Apr, 2026 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

Action-Not Available
Vendor-crmperks
Product-Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-37463
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.61%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Perks Forms plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5.

Action-Not Available
Vendor-crmperksCRM Perkscrmperks
Product-crm_perks_formsCRM Perks Formscrm_perks_forms
CWE ID-CWE-862
Missing Authorization
CVE-2025-7384
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.59% / 72.66%
||
7 Day CHG~0.00%
Published-13 Aug, 2025 | 04:22
Updated-08 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

Action-Not Available
Vendor-crmperks
Product-Database for Contact Form 7, WPforms, Elementor forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-7696
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.03% / 59.62%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 04:23
Updated-08 Apr, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

Action-Not Available
Vendor-crmperks
Product-Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60089
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms FreshDesk plugin plugin <= 1.3.5 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_freshdesk_pluginWP Gravity Forms FreshDesk Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60178
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms HubSpot plugin <= 1.2.6 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_hubspotWP Gravity Forms HubSpot
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-60174
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 30.59%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Constant Contact plugin plugin <= 1.1.2 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2.

Action-Not Available
Vendor-crmperksCRM Perks
Product-wp_gravity_forms_constant_contact_pluginWP Gravity Forms Constant Contact Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-58636
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 32.82%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:54
Updated-28 Apr, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Gravity Forms Keap/Infusionsoft Plugin <= 1.2.3 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through <= 1.2.3.

Action-Not Available
Vendor-CRM Perks
Product-WP Gravity Forms Keap/Infusionsoft
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-49330
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.65%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.3.0 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Contact Form 7 and Zoho CRM, Bigin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-68590
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.6||HIGH
EPSS-0.29% / 20.26%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 13:10
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.

Action-Not Available
Vendor-CRM Perks
Product-Integration for Contact Form 7 HubSpot
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-2527
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.44% / 35.32%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 10:52
Updated-12 Dec, 2024 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.4 - Admin+ SQLi

The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Action-Not Available
Vendor-crmperksUnknown
Product-integration_for_contact_form_7_and_zoho_crm\,_biginIntegration for Contact Form 7 and Zoho CRM, Bigin
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30498
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-9.3||CRITICAL
EPSS-2.27% / 80.89%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 14:00
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Perks Forms plugin <= 1.1.4 - Unauthenticated SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.

Action-Not Available
Vendor-crmperksCRM Perkscrmperks
Product-crm_perks_formsCRM Perks Formscrm_perks_forms
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-20447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.99% / 78.18%
||
7 Day CHG~0.00%
Published-05 Feb, 2020 | 19:22
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint.

Action-Not Available
Vendor-jobberbasen/a
Product-jobberbasen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-11000
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.13% / 79.75%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:32
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.

Action-Not Available
Vendor-smackcodersn/a
Product-ultimate_exportern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-26171
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.26% / 65.88%
||
7 Day CHG~0.00%
Published-02 Mar, 2022 | 22:39
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bank Management System v1.o was discovered to contain a SQL injection vulnerability via the email parameter.

Action-Not Available
Vendor-bank_management_system_projectn/a
Product-bank_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4314
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.83%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 04:31
Updated-14 May, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Advanced Web Store index.php sql injection

A vulnerability has been found in SourceCodester Advanced Web Store 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation of the argument txtLogin leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donbermoySourceCodester
Product-advanced_web_storeAdvanced Web Store
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-20896
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.99% / 58.21%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 18:11
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter.

Action-Not Available
Vendor-webchess_projectn/a
Product-webchessn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-45074
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.5||HIGH
EPSS-0.55% / 41.92%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 08:35
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Page Visit Counter Plugin <= 7.1.1 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows SQL Injection.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 7.1.1.

Action-Not Available
Vendor-pagevisitcounterPage Visit Counter
Product-advanced_page_visit_counterAdvanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-44755
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.38%
||
7 Day CHG~0.00%
Published-22 Apr, 2025 | 00:00
Updated-19 Jun, 2025 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sacco Management system v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /sacco/ajax.php.

Action-Not Available
Vendor-n/amayuri_k
Product-sacco_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4262
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.04%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 03:31
Updated-07 May, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online DJ Booking Management System user-search.php sql injection

A vulnerability was found in PHPGurukul Online DJ Booking Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/user-search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_dj_booking_management_systemOnline DJ Booking Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4312
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.83%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 04:00
Updated-14 May, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Advanced Web Store productdetail.php sql injection

A vulnerability, which was classified as critical, has been found in SourceCodester Advanced Web Store 1.0. This issue affects some unknown processing of the file /productdetail.php. The manipulation of the argument prodid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donbermoySourceCodester
Product-advanced_web_storeAdvanced Web Store
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-45111
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-9.8||CRITICAL
EPSS-0.70% / 48.60%
||
7 Day CHG~0.00%
Published-02 Nov, 2023 | 01:42
Updated-05 Sep, 2024 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Online Examination System v1.0 - Multiple Unauthenticated SQL Injections (SQLi)

Online Examination System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'email' parameter of the feed.php resource does not validate the characters received and they are sent unfiltered to the database.

Action-Not Available
Vendor-razormistProjectworlds
Product-online_examination_systemOnline Examination System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-43986
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.52% / 40.22%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.

Action-Not Available
Vendor-dmconceptn/a
Product-configuratorn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-4440
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.60% / 44.16%
||
7 Day CHG~0.00%
Published-20 Aug, 2023 | 23:00
Updated-02 Aug, 2024 | 07:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Free Hospital Management System for Small Practices appointment.php sql injection

A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0. It has been classified as critical. This affects an unknown part of the file appointment.php. The manipulation of the argument sheduledate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237561 was assigned to this vulnerability.

Action-Not Available
Vendor-free_hospital_management_system_for_small_practices_projectSourceCodester
Product-free_hospital_management_system_for_small_practicesFree Hospital Management System for Small Practices
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-44694
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.69% / 48.15%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 00:00
Updated-16 Sep, 2024 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /log/mailrecvview.php.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dar-7000_firmwaredar-7000n/adar-7000
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4266
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.04%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 05:31
Updated-07 May, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Notice Board System bwdates-reports-details.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul Notice Board System 1.0. Affected by this issue is some unknown functionality of the file /bwdates-reports-details.php?vid=2. The manipulation of the argument fromdate/tomdate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anujk305PHPGurukul LLP
Product-notice_board_systemNotice Board System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4176
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.50% / 38.99%
||
7 Day CHG+0.02%
Published-01 May, 2025 | 21:31
Updated-09 May, 2025 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Blood Bank & Donor Management System request-received-bydonar.php sql injection

A vulnerability has been found in PHPGurukul Blood Bank & Donor Management System 2.4 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-blood_bank_\&_donor_management_systemBlood Bank & Donor Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4331
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.83%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 07:31
Updated-27 Sep, 2025 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Student Clearance System login.php sql injection

A vulnerability classified as critical was found in SourceCodester Online Student Clearance System 1.0. This vulnerability affects unknown code of the file /Admin/login.php. The manipulation of the argument id/username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Senior WalterSourceCodester
Product-online_student_clearance_systemOnline Student Clearance System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-25880
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.17% / 63.63%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 16:37
Updated-16 Apr, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10942
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.99% / 78.18%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 11:53
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.

Action-Not Available
Vendor-podloven/a
Product-podlove_podcast_publishern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-2676
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.61% / 44.96%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 20:20
Updated-15 Apr, 2025 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Electronic Medical Records System POST Request sql injection

A vulnerability was found in SourceCodester Electronic Medical Records System and classified as critical. Affected by this issue is some unknown functionality of the component POST Request Handler. The manipulation of the argument user_email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205664.

Action-Not Available
Vendor-electronic_medical_records_system_projectSourceCodester
Product-electronic_medical_records_systemElectronic Medical Records System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-25132
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.55% / 72.12%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 14:03
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending the improper variable type Array allows a bypass of core SQL Injection sanitization. Users are able to inject malicious statements in multiple functions. This vulnerability leads to full authentication bypass: any unauthorized user with access to the application is able to exploit this vulnerability. This can occur via the Cookie header to the default URI, within includes/authenticate.inc.php.

Action-Not Available
Vendor-observiumn/a
Product-observiumn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2005-4891
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.76% / 75.20%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 16:09
Updated-08 Aug, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

Action-Not Available
Vendor-simplemachinesSimple Machine Forum
Product-simple_machine_forumSimple Machine Forum
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-41375
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-9.3||CRITICAL
EPSS-0.63% / 45.68%
||
7 Day CHG+0.04%
Published-01 Aug, 2025 | 12:29
Updated-30 Jan, 2026 | 21:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection in Limesurvey

SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.

Action-Not Available
Vendor-limesurveyLimeSurvey
Product-limesurveyLimeSurvey
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-26349
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.17% / 63.63%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 16:37
Updated-16 Apr, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie SQL Injection in DIAE_eccoefficientHandler.ashx

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4213
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.28% / 19.48%
||
7 Day CHG+0.01%
Published-02 May, 2025 | 18:00
Updated-28 May, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Birth Certificate System search.php sql injection

A vulnerability has been found in PHPGurukul Online Birth Certificate System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_birth_certificate_systemOnline Birth Certificate System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-11024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 68.45%
||
7 Day CHG~0.00%
Published-30 Mar, 2020 | 19:41
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

Action-Not Available
Vendor-odata4j_projectn/a
Product-odata4jn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 128
  • 129
  • Next
Details not found