CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,861 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 130 of 378
- CVE-2021-24860HIGHCVSS 7.2EG 7.22021-11-29
The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
- CVE-2021-24861HIGHCVSS 7.2EG 7.22021-12-13
The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection
- CVE-2021-24862HIGHCVSS 7.2EG 7.22022-01-10
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue
- CVE-2021-24863CRITICALCVSS 9.8EG 9.82021-12-13
The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL inject…
- CVE-2021-24864HIGHCVSS 8.8EG 8.82022-02-28
The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue
- CVE-2021-24865HIGHCVSS 7.2EG 7.22022-01-24
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue
- CVE-2021-24866CRITICALCVSS 9.8EG 9.82021-12-06
The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion
- CVE-2021-24869HIGHCVSS 8.8EG 8.82024-01-16
The WP Fastest Cache WordPress plugin before 0.9.5 does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber
- CVE-2021-24877HIGHCVSS 7.2EG 7.22021-11-23
The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Stagin…
- CVE-2021-24889HIGHCVSS 7.2EG 7.22021-11-29
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
- CVE-2021-24915CRITICALCVSS 9.8EG 9.82021-11-29
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which c…
- CVE-2021-24919HIGHCVSS 8.8EG 8.82022-02-01
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an…
- CVE-2021-24928MEDIUMCVSS 6.5EG 6.52022-02-07
The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, an…
- CVE-2021-24931CRITICALCVSS 9.8EG 9.82021-12-06
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before u…
- CVE-2021-24943CRITICALCVSS 9.8EG 9.82021-12-06
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a…
- CVE-2021-24946CRITICALCVSS 9.8EG 9.82021-12-13
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an una…
- CVE-2021-24949CRITICALCVSS 9.8EG 9.82022-01-10
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
- CVE-2021-24951CRITICALCVSS 9.8EG 9.82021-12-13
The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues
- CVE-2021-24952HIGHCVSS 8.8EG 8.82022-03-07
The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated …
- CVE-2021-24957HIGHCVSS 8.8EG 8.82022-04-25
The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection
- CVE-2021-24959HIGHCVSS 8.8EG 8.82022-03-14
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
- CVE-2021-25007CRITICALCVSS 9.8EG 9.82022-03-14
The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection
- CVE-2021-25023HIGHCVSS 7.2EG 7.22022-01-03
The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection
- CVE-2021-25030HIGHCVSS 8.8EG 8.82022-01-03
The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with…
- CVE-2021-25037MEDIUMCVSS 6.5EG 6.52022-01-17
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from…
- CVE-2021-25045HIGHCVSS 7.2EG 7.22022-01-24
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
- CVE-2021-25054HIGHCVSS 8.8EG 8.82022-01-10
The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.
- CVE-2021-25064HIGHCVSS 7.2EG 7.22022-03-28
The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.
- CVE-2021-25068HIGHCVSS 7.2EG 7.22022-03-28
The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboa…
- CVE-2021-25069HIGHCVSS 8.8EG 8.82022-02-21
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scriptin…
- CVE-2021-25070CRITICALCVSS 9.8EG 9.82022-03-28
The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue
- CVE-2021-25076HIGHCVSS 8.8EG 8.82022-01-24
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escapin…
- CVE-2021-25109LOWCVSS 2.7EG 2.72022-02-14
The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged …
- CVE-2021-25114CRITICALCVSS 9.8EG 9.82022-02-07
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
- CVE-2021-25153HIGHCVSS 8.1EG 8.12021-04-28
A remote SQL injection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
- CVE-2021-25201HIGHCVSS 7.5EG 7.52021-07-23
SQL injection vulnerability in Learning Management System v 1.0 allows remote attackers to execute arbitrary SQL statements through the id parameter to obtain sensitive database information.
- CVE-2021-25202CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Sales and Inventory System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to \ahira\admin\inventory.php.
- CVE-2021-25205CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php .
- CVE-2021-25209CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php .
- CVE-2021-25212CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php.
- CVE-2021-25213CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php.
- CVE-2021-25427MEDIUMCVSS 6.5EG 6.52021-07-08
SQL injection vulnerability in Bluetooth prior to SMR July-2021 Release 1 allows unauthorized access to paired device information
- CVE-2021-25482MEDIUMCVSS 5.9EG 5.92021-10-06
SQL injection vulnerabilities in CMFA framework prior to SMR Oct-2021 Release 1 allow untrusted application to overwrite some CMFA framework information.
- CVE-2021-25779CRITICALCVSS 9.8EG 9.82021-02-17
Baby Care System v1.0 is vulnerable to SQL injection via the 'id' parameter on the contentsectionpage.php page.
- CVE-2021-25783HIGHCVSS 7.2EG 7.22021-12-02
Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulnerability via the function Article Search.
- CVE-2021-25784HIGHCVSS 7.2EG 7.22021-12-02
Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulnerability via the function Edit Article.
- CVE-2021-25874HIGHCVSS 7.5EG 7.52021-11-01
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes.
- CVE-2021-25899HIGHCVSS 7.5EG 7.52021-04-23
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1.
- CVE-2021-26114CRITICALCVSS 9.8EG 9.82022-04-06
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN before 4.5.9 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
- CVE-2021-26200CRITICALCVSS 9.8EG 9.82021-02-15
The user area for Library System 1.0 is vulnerable to SQL injection where a user can bypass the authentication and login as the admin user.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →