CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2021-24791 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
352 CVE-2021-24774 89 Sql 2021-10-25 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues
353 CVE-2021-24772 89 Sql 2021-11-17 2021-11-19
6.5
None Remote Low ??? Partial Partial Partial
The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.
354 CVE-2021-24769 89 Sql 2021-10-25 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection
355 CVE-2021-24758 89 Sql 2021-11-17 2021-11-19
6.5
None Remote Low ??? Partial Partial Partial
The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections
356 CVE-2021-24755 89 Sql 2021-11-29 2021-11-29
6.5
None Remote Low ??? Partial Partial Partial
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user
357 CVE-2021-24754 89 Sql 2021-10-18 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue
358 CVE-2021-24753 89 Sql 2021-12-27 2022-01-06
6.5
None Remote Low ??? Partial Partial Partial
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue
359 CVE-2021-24750 89 Sql 2021-12-21 2022-01-05
6.5
None Remote Low ??? Partial Partial Partial
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
360 CVE-2021-24748 89 Sql 2021-11-29 2021-11-29
6.5
None Remote Low ??? Partial Partial Partial
The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
361 CVE-2021-24747 89 Sql 2021-12-13 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.
362 CVE-2021-24741 89 Sql 2021-09-20 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
363 CVE-2021-24731 89 Sql 2021-11-08 2021-11-10
7.5
None Remote Low Not required Partial Partial Partial
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.
364 CVE-2021-24728 79 Sql XSS 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
365 CVE-2021-24727 89 Sql 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections
366 CVE-2021-24726 89 Sql 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue
367 CVE-2021-24669 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
368 CVE-2021-24666 89 Sql 2021-09-27 2021-10-05
6.8
None Remote Medium Not required Partial Partial Partial
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
369 CVE-2021-24662 89 Sql 2021-10-25 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
370 CVE-2021-24651 89 Sql 2021-10-11 2021-10-19
5.0
None Remote Low Not required Partial None None
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
371 CVE-2021-24631 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection
372 CVE-2021-24630 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author
373 CVE-2021-24629 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections
374 CVE-2021-24628 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection
375 CVE-2021-24627 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection
376 CVE-2021-24626 89 Sql CSRF 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection
377 CVE-2021-24625 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category
378 CVE-2021-24606 89 Sql 2021-09-20 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+
379 CVE-2021-24580 89 Sql 2021-08-30 2021-09-02
6.5
None Remote Low ??? Partial Partial Partial
The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue
380 CVE-2021-24575 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated users, from simple subscribers/students to teachers and above.
381 CVE-2021-24557 89 Sql 2021-08-23 2021-08-30
6.5
None Remote Low ??? Partial Partial Partial
The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.
382 CVE-2021-24555 89 Sql CSRF 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.
383 CVE-2021-24554 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue
384 CVE-2021-24553 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
385 CVE-2021-24552 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue
386 CVE-2021-24551 89 Sql 2021-08-23 2021-08-26
7.5
None Remote Low Not required Partial Partial Partial
The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue
387 CVE-2021-24550 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue
388 CVE-2021-24521 89 Sql 2021-08-09 2021-08-17
6.5
None Remote Low ??? Partial Partial Partial
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
389 CVE-2021-24520 89 Sql 2021-08-09 2021-08-16
6.5
None Remote Low ??? Partial Partial Partial
The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.
390 CVE-2021-24511 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
391 CVE-2021-24507 89 Sql 2021-08-09 2021-08-17
7.5
None Remote Low Not required Partial Partial Partial
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues
392 CVE-2021-24506 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
393 CVE-2021-24497 89 Exec Code Sql 2021-08-23 2021-08-30
6.5
None Remote Low ??? Partial Partial Partial
The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.
394 CVE-2021-24492 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.
395 CVE-2021-24484 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
396 CVE-2021-24483 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
397 CVE-2021-24465 89 Sql 2021-10-04 2021-10-08
5.5
None Remote Low ??? Partial Partial None
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
398 CVE-2021-24463 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
399 CVE-2021-24462 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
400 CVE-2021-24461 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
Total number of vulnerabilities : 627   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.