Search Results (19570 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-4236 1 Itsourcecode 1 Online Student Enrollment System 2026-04-22 7.3 High
A security vulnerability has been detected in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=add. Such manipulation of the argument txtsearch/deptname/name leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2026-4241 1 Itsourcecode 1 College Management System 2026-04-22 6.3 Medium
A vulnerability was identified in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/time-table.php. Such manipulation of the argument course_code leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
CVE-2026-4508 1 Pbootcms 1 Pbootcms 2026-04-22 7.3 High
A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVE-2026-4507 1 Mindinventory 1 Mindsql 2026-04-22 6.3 Medium
A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2579 2 Wordpress, Wpxpo 2 Wordpress, Wowstore – Store Builder & Product Blocks For Woocommerce 2026-04-22 7.5 High
The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-4504 1 Eosphoros-ai 1 Db-gpt 2026-04-22 7.3 High
A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2468 2 Quentn, Wordpress 2 Quentn Wp, Wordpress 2026-04-22 7.5 High
The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_access()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-2279 2 Silvercover, Wordpress 2 Mylinksdump Plugin, Wordpress 2026-04-22 7.2 High
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-3956 1 Xierongwkhd 1 Weimai-wetapp 2026-04-22 4.7 Medium
A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-31922 2 Ays-pro, Wordpress 2 Fox Lms, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
CVE-2026-32366 2 Robfelty, Wordpress 2 Collapsing Categories, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects Collapsing Categories: from n/a through <= 3.0.9.
CVE-2026-32358 2 Wordpress, Wpdevelop 2 Wordpress, Booking Calendar 2026-04-22 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15.
CVE-2026-32365 2 Robfelty, Wordpress 2 Collapsing Archives, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7.
CVE-2026-32418 2 Jordy Meow, Wordpress 2 Meow Gallery, Wordpress 2026-04-22 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: from n/a through <= 5.4.4.
CVE-2026-32368 2 Delphiknight, Wordpress 2 Geo To Lat, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19.
CVE-2026-3657 2 Premio, Wordpress 2 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu), Wordpress 2026-04-22 7.5 High
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
CVE-2026-31917 2 Wedevs, Wordpress 2 Wp Erp, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10.
CVE-2026-32422 2 Levelfourdevelopment, Wordpress 2 Wp-easycart, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13.
CVE-2026-32433 2 Codepeople, Wordpress 2 Cp Contact Form With Paypal, Wordpress 2026-04-22 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through <= 1.3.61.
CVE-2026-3957 1 Xierongwkhd 1 Weimai-wetapp 2026-04-22 4.7 Medium
A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.