Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0842 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges.
|
|||||
| CVE-2022-0836 | 1 Semadatacoop | 1 Sema Api | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The SEMA API WordPress plugin before 4.02 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users
|
|||||
| CVE-2022-0827 | 1 Presspage | 1 Bestbooks | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
|
|||||
| CVE-2022-0826 | 1 Wp-video-gallery-free Project | 1 Wp-video-gallery-free | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
|
|||||
| CVE-2022-0817 | 1 Badgeos | 1 Badgeos | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
|
|||||
| CVE-2022-0814 | 1 Ubigeo De Peru Para Woocommerce Project | 1 Ubigeo De Peru Para Woocommerce | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections
|
|||||
| CVE-2022-0787 | 1 Limit Login Attempts Project | 1 Limit Login Attempts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections
|
|||||
| CVE-2022-0786 | 1 Iqonic | 1 Kivicare | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users
|
|||||
| CVE-2022-0785 | 1 Daily Prayer Time Project | 1 Daily Prayer Time | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
|
|||||
| CVE-2022-0784 | 1 Title Experiments Free Project | 1 Title Experiments Free | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
|
|||||
| CVE-2022-0783 | 1 Themehigh | 1 Multiple Shipping Addresses For Woocommerce | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections
|
|||||
| CVE-2022-0782 | 1 Donations Project | 1 Donations | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Donations WordPress plugin through 1.8 does not sanitise and escape the nd_donations_id parameter before using it in a SQL statement via the nd_donations_single_cause_form_validate_fields_php_function AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
|
|||||
| CVE-2022-0781 | 1 Nirweb | 1 Nirweb Support | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection
|
|||||
| CVE-2022-0773 | 1 Documentor Project | 1 Documentor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.
|
|||||
| CVE-2022-0771 | 1 Marketingheroes | 1 Sitesupercharger | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions (available to both unauthenticated and authenticated users), leading to Unauthenticated SQL Injections
|
|||||
| CVE-2022-0769 | 1 Usersultra | 1 Users Ultra | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.
|
|||||
| CVE-2022-0760 | 1 Quantumcloud | 1 Simple Link Directory | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection
|
|||||
| CVE-2022-0757 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 6.5 MEDIUM | 5.5 MEDIUM |
|
Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.
|
|||||
| CVE-2022-0754 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
|
|||||
| CVE-2022-0747 | 1 Quantumcloud | 1 Infographic Maker | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection
|
|||||
| CVE-2022-0739 | 1 Reputeinfosystems | 1 Bookingpress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
|
|||||
| CVE-2022-0694 | 1 Elbtide | 1 Advanced Booking Calendar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
|
|||||
| CVE-2022-0693 | 1 Devbunch | 1 Master Elements | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection
|
|||||
| CVE-2022-0658 | 1 Wielebenwir | 1 Commonsbooking | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
|
|||||
| CVE-2022-0657 | 1 5 Stars Rating Funnel Project | 1 5 Stars Rating Funnel | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
|
|||||
| CVE-2022-0651 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
|
|||||
| CVE-2022-0592 | 1 Mapsvg | 1 Mapsvg | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
|
|||||
| CVE-2022-0513 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 9.8 CRITICAL |
|
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
|
|||||
| CVE-2022-0507 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | 6.5 MEDIUM | 5.8 MEDIUM |
|
Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL.
|
|||||
| CVE-2022-0495 | 1 Parantezteknoloji | 1 Koha Library Automation | 2024-11-21 | N/A | 9.4 CRITICAL |
|
The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.
|
|||||
| CVE-2022-0479 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
|
|||||
| CVE-2022-0478 | 1 Mage-people | 1 Event Manager And Tickets Selling For Woocommerce | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks
|
|||||
| CVE-2022-0439 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
|
|||||
| CVE-2022-0434 | 1 A3rev | 1 Page View Count | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks
|
|||||
| CVE-2022-0420 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks
|
|||||
| CVE-2022-0412 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
|
|||||
| CVE-2022-0411 | 1 Asgaros | 1 Asgaros Forum | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
|
|||||
| CVE-2022-0410 | 1 Wp Visitor Statistics Project | 1 Wp Visitor Statistics | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection
|
|||||
| CVE-2022-0386 | 1 Sophos | 1 Unified Threat Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.
|
|||||
| CVE-2022-0383 | 1 Ljapps | 1 Wp Review Slider | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks
|
|||||