Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-10628

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-26 Jan, 2025 | 05:24
Updated At-03 Apr, 2025 | 18:38
Rejected At-
Credits

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:26 Jan, 2025 | 05:24
Updated At:03 Apr, 2025 | 18:38
Rejected At:
▼CVE Numbering Authority (CNA)
Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

Affected Products
Vendor
AYS Pro ExtensionsAYS Pro Plugins
Product
Quiz Maker Business
Default Status
unaffected
Versions
Affected
  • From 7.0.0 through 8.8.0 (semver)
Vendor
AYS Pro ExtensionsAYS Pro Plugins
Product
Quiz Maker Developer
Default Status
unaffected
Versions
Affected
  • From 20.0.0 through 21.8.0 (semver)
Vendor
AYS Pro ExtensionsAYS Pro Plugins
Product
Quiz Maker Agency
Default Status
unaffected
Versions
Affected
  • From 30.0.0 through 31.8.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
abrahack
Timeline
EventDate
Vendor Notified2024-10-31 00:00:00
Disclosed2025-01-25 00:00:00
Event: Vendor Notified
Date: 2024-10-31 00:00:00
Event: Disclosed
Date: 2025-01-25 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cve
N/A
https://ays-pro.com/wordpress/quiz-maker
N/A
https://ays-pro.com/changelog-for-quiz-maker-pro
N/A
https://abrahack.com/posts/quiz-maker-sqli/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cve
Resource: N/A
Hyperlink: https://ays-pro.com/wordpress/quiz-maker
Resource: N/A
Hyperlink: https://ays-pro.com/changelog-for-quiz-maker-pro
Resource: N/A
Hyperlink: https://abrahack.com/posts/quiz-maker-sqli/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://abrahack.com/posts/quiz-maker-sqli/
exploit
Hyperlink: https://abrahack.com/posts/quiz-maker-sqli/
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:26 Jan, 2025 | 06:15
Updated At:05 Jun, 2025 | 14:23

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three variations of this software (Business, Developer, and Agency) share the same plugin slug, so you may get an alert even if you are running the latest version of any of the pieces of software. In these cases it is safe to dismiss the notice once you've confirmed your site is on a patched version of the applicable software.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
AYS Pro Extensions
ays-pro
>>quiz_maker>>Versions from 7.0.0(inclusive) to 8.8.0.100(exclusive)
cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*
AYS Pro Extensions
ays-pro
>>quiz_maker>>Versions from 20.0.0(inclusive) to 21.8.0.100(exclusive)
cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*
AYS Pro Extensions
ays-pro
>>quiz_maker>>Versions from 30.0.0(inclusive) to 31.8.0.100(exclusive)
cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-89Secondarysecurity@wordfence.com
CWE-89Primarynvd@nist.gov
CWE ID: CWE-89
Type: Secondary
Source: security@wordfence.com
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://abrahack.com/posts/quiz-maker-sqli/security@wordfence.com
Exploit
Third Party Advisory
https://ays-pro.com/changelog-for-quiz-maker-prosecurity@wordfence.com
Product
https://ays-pro.com/wordpress/quiz-makersecurity@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cvesecurity@wordfence.com
Third Party Advisory
https://abrahack.com/posts/quiz-maker-sqli/134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Hyperlink: https://abrahack.com/posts/quiz-maker-sqli/
Source: security@wordfence.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://ays-pro.com/changelog-for-quiz-maker-pro
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://ays-pro.com/wordpress/quiz-maker
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd873e5-fd65-48c3-a71d-aaf6d8372606?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory
Hyperlink: https://abrahack.com/posts/quiz-maker-sqli/
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

638Records found
CVE-2021-24651
Matching Score-10
Assigner-WPScan
ShareView Details
Matching Score-10
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-1.77% / 81.89%
||
7 Day CHG+0.01%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-poll_makerPoll Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-34013
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-4.4||MEDIUM
EPSS-0.15% / 36.23%
||
7 Day CHG~0.00%
Published-13 Nov, 2023 | 02:28
Updated-08 Jan, 2025 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Poll Maker Plugin <= 4.6.2 is vulnerable to Server Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2.

Action-Not Available
Vendor-AYS Pro Extensions
Product-poll_makerPoll Maker – Best WordPress Poll Plugin
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-7713
Matching Score-8
Assigner-WPScan
ShareView Details
Matching Score-8
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.87%
||
7 Day CHG+0.07%
Published-27 Sep, 2024 | 06:00
Updated-27 Aug, 2025 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-chatgpt_assistantAI ChatBot with ChatGPT and Content Generator by AYSai_chatbot_with_chatgpt
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-24461
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FAQ Builder < 1.3.6 - Authenticated Blind SQL Injections

The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-faq_builderFAQ Builder AYS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24462
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery by Ays - Responsive Image Gallery < 4.4.4 - Authenticated Blind SQL Injections

The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-photo_galleryPhoto Gallery by Ays – Responsive Image Gallery
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24456
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.63% / 69.32%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections

The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-quiz_makerQuiz Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24483
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.57% / 67.55%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Poll Maker < 3.2.1 - Authenticated Blind SQL Injections

The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-poll_makerPoll Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24458
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup box < 2.3.4 - Authenticated Blind SQL Injections

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-popup_boxPopup box
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24931
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-71.97% / 98.68%
||
7 Day CHG~0.00%
Published-06 Dec, 2021 | 15:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-secure_copy_content_protection_and_content_lockingSecure Copy Content Protection and Content Locking
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24459
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Survey Maker < 1.5.6 - Authenticated Blind SQL Injections

The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-survey_makerSurvey Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-23490
Matching Score-6
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-6
Assigner-Tenable Network Security, Inc.
CVSS Score-8.8||HIGH
EPSS-0.75% / 72.15%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.

Action-Not Available
Vendor-n/aAYS Pro Extensions
Product-survey_makerSurvey Maker WordPress Plugin
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10921
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.55% / 66.81%
||
7 Day CHG~0.00%
Published-22 Aug, 2019 | 12:33
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.

Action-Not Available
Vendor-n/aAYS Pro Extensions
Product-photo_galleryn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-26971
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.6||HIGH
EPSS-0.06% / 17.25%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 14:17
Updated-21 May, 2025 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Poll Maker <= 5.6.5 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ays-pro Poll Maker allows Blind SQL Injection. This issue affects Poll Maker: from n/a through 5.6.5.

Action-Not Available
Vendor-AYS Pro Extensions
Product-poll_makerPoll Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9475
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.24% / 47.46%
||
7 Day CHG+0.04%
Published-26 Oct, 2024 | 01:58
Updated-28 May, 2025 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 - Authenticated (Administrator+) SQL Injection via Order_by Parameter

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-AYS Pro Extensions
Product-poll_makerPoll Maker – Versus Polls, Anonymous Polls, Image Polls
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-1013
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-56.15% / 98.01%
||
7 Day CHG~0.00%
Published-09 May, 2022 | 16:50
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Personal Dictionary < 1.3.4 - Unauthenticated SQLi

The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-personal_dictionaryPersonal Dictionary
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9874
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.39% / 59.50%
||
7 Day CHG+0.10%
Published-09 Nov, 2024 | 06:41
Updated-15 May, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Poll Maker Plugin <= 5.4.6 - Authenticated (Administrator+) Time-Based SQL Injection

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-AYS Pro Extensions
Product-poll_makerPoll Maker – Versus Polls, Anonymous Polls, Image Polls
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24460
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections

The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-popup_boxPopup Like box – Page Plugin
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24457
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Portfolio Responsive Gallery < 1.1.8 - Authenticated Blind SQL Injections

The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-portfolio_responsive_galleryPortfolio Responsive Gallery
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24463
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.53% / 66.35%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Slider by Ays - Responsive Slider and Carousel < 2.5.0 - Authenticated Blind SQL Injection

The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-image_sliderImage Slider by Ays- Responsive Slider and Carousel
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24484
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.57% / 67.55%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Secure Copy Content Protection and Content Locking < 2.6.7 - Authenticated Blind SQL Injections

The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Action-Not Available
Vendor-AYS Pro Extensions
Product-secure_copy_content_protection_and_content_lockingSecure Copy Content Protection and Content Locking
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-46385
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.27%
||
7 Day CHG~0.00%
Published-26 Jan, 2022 | 18:35
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability through which attacker can get sensitive information from the database.

Action-Not Available
Vendor-mingsoftn/a
Product-mcmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-44866
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.45%
||
7 Day CHG~0.00%
Published-03 Feb, 2022 | 13:19
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. The file about.php does not perform input validation on the 'id' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database.

Action-Not Available
Vendor-n/aProjectworlds
Product-online_movie_ticket_booking_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-44600
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.37%
||
7 Day CHG~0.00%
Published-23 Dec, 2021 | 13:21
Updated-11 Feb, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The password parameter on Simple Online Mens Salon Management System (MSMS) 1.0 appears to be vulnerable to SQL injection attacks through the password parameter. The predictive tests of this application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve all authentication and information about the users of this system.

Action-Not Available
Vendor-n/aoretnom23
Product-simple_online_men\'s_salon_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-44599
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 49.68%
||
7 Day CHG~0.00%
Published-23 Dec, 2021 | 12:31
Updated-04 Aug, 2024 | 04:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve sensitive information for all users of this system.

Action-Not Available
Vendor-online_enrollment_management_system_projectn/a
Product-online_enrollment_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43010
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.27%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 18:29
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Safedog Apache v4.0.30255, attackers can bypass this product for SQL injection. Attackers can bypass access to sensitive data.

Action-Not Available
Vendor-safedogn/a
Product-safedog_apachen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-20136
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.20% / 42.58%
||
7 Day CHG~0.00%
Published-16 Jul, 2022 | 06:15
Updated-15 Apr, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Itech Classifieds Script subpage.php sql injection

A vulnerability classified as critical has been found in Itech Classifieds Script 7.27. Affected is an unknown function of the file /subpage.php. The manipulation of the argument scat with the input =51' AND 4941=4941 AND 'hoCP'='hoCP leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-itechscriptsItech
Product-classifieds_scriptClassifieds Script
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43109
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.47%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 17:33
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SQL Injection vulnerability exits in PuneethReddyHC online-shopping-system as of 11/01/2021 via the p parameter in product.php.

Action-Not Available
Vendor-puneethreddyhc_online-shopping-system_projectn/a
Product-puneethreddyhc_online-shopping-systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-18263
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 47.73%
||
7 Day CHG~0.00%
Published-03 Nov, 2021 | 17:57
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability in the component search.php via the search parameter. This vulnerability allows attackers to access sensitive database information.

Action-Not Available
Vendor-php-cms_projectn/a
Product-php-cmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43091
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.56%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 16:14
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form.

Action-Not Available
Vendor-yeswikin/a
Product-yeswikin/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-41460
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-28.34% / 96.33%
||
7 Day CHG~0.00%
Published-28 Jun, 2022 | 12:28
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information.

Action-Not Available
Vendor-shopexn/a
Product-ecshopn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-45794
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.23% / 46.05%
||
7 Day CHG~0.00%
Published-17 Mar, 2022 | 11:16
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.

Action-Not Available
Vendor-slimsn/a
Product-senayan_library_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-40956
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.27%
||
7 Day CHG~0.00%
Published-23 Jun, 2022 | 09:31
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LaiKetui v3.5.0 has SQL injection in the background through the menu management function, and sensitive data can be obtained.

Action-Not Available
Vendor-laiketuin/a
Product-laiketuin/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-41746
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 49.68%
||
7 Day CHG~0.00%
Published-29 Oct, 2021 | 17:22
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.

Action-Not Available
Vendor-yonyoun/a
Product-turbocrmn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-40635
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.86%
||
7 Day CHG+0.02%
Published-03 Mar, 2022 | 13:25
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.

Action-Not Available
Vendor-os4edn/a
Product-opensisn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-41648
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-63.23% / 98.33%
||
7 Day CHG~0.00%
Published-01 Oct, 2021 | 13:53
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.

Action-Not Available
Vendor-online-shopping-system-advanced_projectn/a
Product-online-shopping-system-advancedn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-41920
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.59% / 85.00%
||
7 Day CHG~0.00%
Published-08 Oct, 2021 | 15:37
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain access to the webTareas application.

Action-Not Available
Vendor-webtareas_projectn/a
Product-webtareasn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-4443
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-93.59% / 99.83%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 05:32
Updated-07 Jul, 2025 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.2 - Unauthenticated SQL Injection via listingfields Parameter

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-Strategy11
Product-business_directoryBusiness Directory Plugin – Easy Listing Directories for WordPress
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-39978
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.28%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 21:07
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Telephony application has a SQL Injection vulnerability.Successful exploitation of this vulnerability may cause privacy and security issues.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-harmonyosHarmonyOS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-42760
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.13% / 32.82%
||
7 Day CHG~0.00%
Published-11 Sep, 2024 | 00:00
Updated-10 Jul, 2025 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component.

Action-Not Available
Vendor-ellevon/aellevo
Product-ellevon/aellevo
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-38324
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.2||HIGH
EPSS-0.51% / 65.59%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 18:09
Updated-05 May, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SP Rental Manager <= 1.5.3 Unauthenticated SQL Injection

The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3.

Action-Not Available
Vendor-smartypantspluginsSP Rental Manager
Product-sp_rental_managerSP Rental Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-51165
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.16% / 37.23%
||
7 Day CHG+0.02%
Published-10 Dec, 2024 | 00:00
Updated-24 Jun, 2025 | 00:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in JEPAAS7.2.8, via /je/rbac/rbac/loadLoginCount in the dateVal parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB.

Action-Not Available
Vendor-ketrn/a
Product-jepaasn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-38239
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 46.84%
||
7 Day CHG~0.00%
Published-15 Feb, 2023 | 00:00
Updated-20 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

Action-Not Available
Vendor-n/aDataEase (FIT2CLOUD Inc.)
Product-dataeasen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-42361
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.55% / 66.96%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 20:56
Updated-03 Sep, 2024 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GHSL-2023-256: HertzBeat Authenticated (guest role) SQL injection in /api/monitor/{monitorId}/metric/{metricFull}

Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.

Action-Not Available
Vendor-The Apache Software Foundation
Product-hertzbeatHertzBeathertzbeat
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-37316
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.68%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to view sensitive information via /etc/shadow.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-rt-ac68urt-ac68u_firmwaren/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-4069
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 10.97%
||
7 Day CHG~0.00%
Published-23 Apr, 2024 | 21:31
Updated-05 Mar, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kashipara Online Furniture Shopping Ecommerce Website search.php sql injection

A vulnerability, which was classified as critical, was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. This affects an unknown part of the file search.php. The manipulation of the argument txtSearch leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261795.

Action-Not Available
Vendor-aditya88Kashipara Group
Product-online_furniture_shopping_ecommerce_websiteOnline Furniture Shopping Ecommerce Websitee-commerce_management_software
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-36520
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.89%
||
7 Day CHG~0.00%
Published-16 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.

Action-Not Available
Vendor-washingtonn/a
Product-i-tech_trainsmartn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-39027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.10% / 28.77%
||
7 Day CHG~0.00%
Published-05 Jul, 2024 | 00:00
Updated-20 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeaCMS v12.9 has an unauthorized SQL injection vulnerability. The vulnerability is caused by the SQL injection through the cid parameter at /js/player/dmplayer/dmku/index.php?ac=edit, which can cause sensitive database information to be leaked.

Action-Not Available
Vendor-seacmsn/aseacms
Product-seacmsn/aseacms
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-36432
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.06% / 18.31%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jo_set_mask() function in jocms/apps/mask/mask.php.

Action-Not Available
Vendor-jocms_projectn/a
Product-jocmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-37843
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-87.25% / 99.41%
||
7 Day CHG~0.00%
Published-25 Jun, 2024 | 00:00
Updated-02 Aug, 2024 | 03:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

Action-Not Available
Vendor-craftcmsn/acraftcms
Product-craft_cmsn/acraft_cms
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-34117
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.79% / 72.97%
||
7 Day CHG~0.00%
Published-15 Feb, 2023 | 00:00
Updated-20 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability in SEO Panel 4.9.0 in api/user.api.php in function getUserName in the username parameter, allows attackers to gain sensitive information.

Action-Not Available
Vendor-seopaneln/a
Product-seo_paneln/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 12
  • 13
  • Next
Details not found