CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2021-24460 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
402 CVE-2021-24459 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
403 CVE-2021-24458 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
404 CVE-2021-24457 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
405 CVE-2021-24456 89 Sql 2021-08-02 2021-08-09
6.5
None Remote Low ??? Partial Partial Partial
The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard
406 CVE-2021-24451 89 Sql 2021-07-06 2021-07-09
6.5
None Remote Low ??? Partial Partial Partial
The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.
407 CVE-2021-24442 89 Sql 2021-07-12 2021-07-15
7.5
None Remote Low Not required Partial Partial Partial
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
408 CVE-2021-24404 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice.
409 CVE-2021-24403 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
410 CVE-2021-24402 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
411 CVE-2021-24401 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
412 CVE-2021-24400 89 Sql 2021-09-20 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
413 CVE-2021-24399 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
414 CVE-2021-24398 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice.
415 CVE-2021-24397 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
416 CVE-2021-24396 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
417 CVE-2021-24395 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
418 CVE-2021-24394 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection
419 CVE-2021-24393 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
420 CVE-2021-24392 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
421 CVE-2021-24391 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
422 CVE-2021-24390 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
A proid GET parameter of the WordPress支付�Alipay|财付通Tenpay|��PayPal集��件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection.
423 CVE-2021-24385 89 Sql 2021-07-12 2021-07-15
7.5
None Remote Low Not required Partial Partial Partial
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user.
424 CVE-2021-24361 89 Sql 2021-06-21 2021-06-24
7.5
None Remote Low Not required Partial Partial Partial
In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.
425 CVE-2021-24360 89 Sql 2021-06-14 2021-06-17
4.0
None Remote Low ??? Partial None None
The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks
426 CVE-2021-24348 89 Sql 2021-06-14 2021-06-21
6.5
None Remote Low ??? Partial Partial Partial
The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue
427 CVE-2021-24345 89 Sql 2021-06-14 2021-06-21
6.0
None Remote Medium ??? Partial Partial Partial
The page lists-management feature of the Sendit WP Newsletter WordPress plugin through 2.5.1, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.
428 CVE-2021-24341 89 Sql 2021-06-14 2021-06-23
6.5
None Remote Low ??? Partial Partial Partial
When deleting a date in the Xllentech English Islamic Calendar WordPress plugin before 2.6.8, the year_number and month_number POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection.
429 CVE-2021-24340 89 Sql 2021-06-07 2021-06-14
5.0
None Remote Low Not required Partial None None
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
430 CVE-2021-24337 89 Sql 2021-06-07 2021-07-15
6.5
None Remote Low ??? Partial Partial Partial
The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.
431 CVE-2021-24336 89 Sql 2021-06-07 2021-06-14
6.5
None Remote Low ??? Partial Partial Partial
The FlightLog WordPress plugin through 3.0.2 does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users
432 CVE-2021-24321 89 Sql 2021-06-01 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues
433 CVE-2021-24314 89 Sql 2021-05-17 2021-05-24
7.5
None Remote Low Not required Partial Partial Partial
The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue
434 CVE-2021-24303 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues
435 CVE-2021-24295 89 Sql 2021-05-17 2021-05-24
5.0
None Remote Low Not required Partial None None
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
436 CVE-2021-24285 89 Sql 2021-05-14 2021-05-21
7.5
None Remote Low Not required Partial Partial Partial
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
437 CVE-2021-24221 89 Sql 2021-04-12 2021-04-20
6.5
None Remote Low ??? Partial Partial Partial
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.
438 CVE-2021-24200 89 Sql 2021-04-12 2021-04-13
4.0
None Remote Low ??? Partial None None
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
439 CVE-2021-24199 89 Sql 2021-04-12 2021-04-13
4.0
None Remote Low ??? Partial None None
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
440 CVE-2021-24186 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
441 CVE-2021-24185 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.
442 CVE-2021-24183 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
443 CVE-2021-24182 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
444 CVE-2021-24181 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.
445 CVE-2021-24149 89 Sql 2021-03-18 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.
446 CVE-2021-24143 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections.
447 CVE-2021-24142 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.
448 CVE-2021-24141 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks.
449 CVE-2021-24140 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test.
450 CVE-2021-24139 89 Sql 2021-03-18 2021-03-22
7.5
None Remote Low Not required Partial Partial Partial
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.
Total number of vulnerabilities : 627   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.