Vulnerabilities (CVE)

Filtered by CWE-89
Total 15510 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-23779 2025-01-16 N/A 7.6 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in web-mv.de ResAds allows SQL Injection.This issue affects ResAds: from n/a through 2.0.5.
CVE-2024-3466 1 Oretnom23 1 Laundry Shop Management System 2025-01-16 5.2 MEDIUM 5.5 MEDIUM
A vulnerability was found in SourceCodester Laundry Management System 1.0. It has been declared as critical. Affected by this vulnerability is the function laporan_filter of the file /application/controller/Pengeluaran.php. The manipulation of the argument dari/sampai leads to sql injection. The associated identifier of this vulnerability is VDB-259747.
CVE-2024-1981 1 Wpvivid 1 Migration\, Backup\, Staging 2025-01-16 N/A 9.8 CRITICAL
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to SQL Injection via the 'table_prefix' parameter in version 0.9.68 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-1982 1 Wpvivid 1 Migration\, Backup\, Staging 2025-01-16 N/A 6.5 MEDIUM
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS.
CVE-2024-25833 1 F-logic 1 Datacube3 2025-01-16 N/A 9.8 CRITICAL
F-logic DataCube3 v1.0 is vulnerable to unauthenticated SQL injection, which could allow an unauthenticated malicious actor to execute arbitrary SQL queries in database.
CVE-2023-33280 1 Storecommander 1 Quickaccounting 2025-01-16 N/A 9.8 CRITICAL
In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.
CVE-2023-33279 1 Scfixmyprestashop Project 1 Scfixmyprestashop 2025-01-16 N/A 9.8 CRITICAL
In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.
CVE-2023-33278 1 Storecommander 1 Customers Export 2025-01-16 N/A 9.8 CRITICAL
In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.
CVE-2024-1776 1 Zestard 1 Admin Side Data Storage For Contact Form 7 2025-01-16 N/A 7.2 HIGH
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-0455 2025-01-16 N/A 9.8 CRITICAL
The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-0486 2025-01-15 7.5 HIGH 7.3 HIGH
A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /fladmin/login.php. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-4434 1 Thimpress 1 Learnpress 2025-01-15 N/A 9.8 CRITICAL
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-3148 1 Dedecms 1 Dedecms 2025-01-15 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in DedeCMS 5.7.112. This issue affects some unknown processing of the file dede/makehtml_archives_action.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258923. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2015-9452 1 Basixonline 1 Nex-forms 2025-01-15 7.5 HIGH 9.8 CRITICAL
The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-forms-main nex_forms_Id parameter.
CVE-2024-1751 1 Themeum 1 Tutor Lms 2025-01-15 N/A 8.8 HIGH
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2021-44092 1 Code-projects 1 Pharmacy Management 2025-01-15 7.5 HIGH 9.8 CRITICAL
An SQL Injection vulnerability exists in code-projects Pharmacy Management 1.0 via the username parameter in the administer login form.
CVE-2023-33677 1 Oretnom23 1 Lost And Found Information System 2025-01-15 N/A 7.5 HIGH
Sourcecodester Lost and Found Information System's Version 1.0 is vulnerable to unauthenticated SQL Injection at "?page=items/view&id=*".
CVE-2025-22799 2025-01-15 N/A 8.5 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vertim Coders Neon Product Designer allows SQL Injection.This issue affects Neon Product Designer: from n/a through 2.1.1.
CVE-2025-22785 2025-01-15 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System allows SQL Injection.This issue affects Course Booking System: from n/a through 6.0.5.
CVE-2024-29230 1 Synology 2 Diskstation Manager, Surveillance Station 2025-01-14 N/A 5.4 MEDIUM
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.