| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.
This issue affects The Events Calendar: from 6.15.12 through 6.16.2. |
| A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment. |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions. |
| Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions. |
| The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
| Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions. |
| Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. |
| Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. |
| Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. |
| Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. |
| Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. |
| Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. |
| Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. |
| Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. |
| Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions. |
| Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions. |
| Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions. |
| Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. |
| Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. |
