CWE-89
High likelihoodImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
19,396 vulnerabilities with CWE-89
CVE-2026-8443
HIGH
WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'stypes' Parameter
CVSS 8.8
CVE-2026-52700
HIGH
WordPress WCMultiShipping plugin <= 3.0.2 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-52697
HIGH
WordPress Taskbuilder plugin <= 5.0.7 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-52693
CRITICAL
WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-49776
CRITICAL
WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-49067
CRITICAL
WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-48964
HIGH
WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.6 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-48886
CRITICAL
WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-48882
HIGH
WordPress WP Time Slots Booking Form plugin <= 1.2.50 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-48874
HIGH
WordPress GamiPress plugin <= 7.8.7 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-45439
CRITICAL
WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42665
CRITICAL
WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42639
CRITICAL
WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42386
CRITICAL
WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42381
CRITICAL
WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-40798
CRITICAL
WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-40771
CRITICAL
WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-40766
HIGH
WordPress MasterStudy LMS plugin <= 3.7.25 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-40762
HIGH
WordPress WPGraphQL plugin < 2.11.1 - SQL Injection vulnerability
CVSS 7.5
CVE-2026-39530
CRITICAL
WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39519
CRITICAL
WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39512
CRITICAL
WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39511
CRITICAL
WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39502
CRITICAL
WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39493
CRITICAL
WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability
CVSS 9.3
Details
Vulnerabilities
19,396
Exploit Likelihood
High