Critical
CVE-2024-35305
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
Tag: Time-based SQL Injection
All CVEs associated with "Time-based SQL Injection". Page 2/2 • 173 CVEs.
Subscribe CVEs: RSS for “Time-based SQL Injection” · RSS (High+Critical only)
About “Time-based SQL Injection”
A curated feed of “Time-based SQL Injection”-related CVEs appears below. We currently track 173 CVEs for this tag (all time). In the last 365 days, 66 were published. Average CVSS is 7.5 (all time; 7.0 over 365d), and 71% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2024-06-10
2024-06-07
High
CVE-2024-4902
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to in…
2024-05-30
High
CVE-2024-5207
The POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications plugin for WordPress is vulnerable to time-based SQL Injection via the selected parameter i…
2024-05-22
Critical
CVE-2024-4443
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and incl…
2024-05-16
High
CVE-2024-4318
The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied…
2024-05-14
Critical
CVE-2024-4434
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping…
High
CVE-2024-3055
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.…
2024-05-02
High
CVE-2024-1173
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up…
2024-04-09
High
CVE-2024-1893
The Easy Property Listings plugin for WordPress is vulnerable to time-based SQL Injection via the ‘property_status’ shortcode attribute in all versions up to, and including, 3.5.2 due to insufficient…
High
CVE-2024-0952
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up…
2024-03-29
Medium
CVE-2024-0956
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter via the erp/v1/acc…
High
CVE-2024-0913
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the erp/v1/accounting/v1/transactio…
2024-03-13
High
CVE-2024-1751
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to in…
2024-02-28
High
CVE-2024-0786
The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncProductCategory funct…
2024-01-16
Critical
CVE-2024-22406
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. T…
2024-01-11
Critical
CVE-2023-6567
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user suppl…
2024-01-10
Medium
CVE-2020-26630
A Time-Based SQL Injection vulnerability was discovered in Hospital Management System V4.0 which can allow an attacker to dump database information via a special payload in the 'Doctor Specialization…
Medium
CVE-2020-26627
A Time-Based SQL Injection vulnerability was discovered in Hospital Management System V4.0 which can allow an attacker to dump database information via a crafted payload entered into the 'Admin Remar…
2023-12-26
High
CVE-2023-5203
The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attacker…
2023-11-22
High
CVE-2023-2841
The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in versions up to, and including, 1.5.5 due to insufficient escaping on t…
2023-07-12
High
CVE-2023-3023
The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied p…
2023-06-23
High
CVE-2023-36284
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication an…
2023-06-09
High
CVE-2023-2607
The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping o…
Low
CVE-2023-2599
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and inclu…
High
CVE-2023-2484
The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escapi…
2023-05-17
Low
CVE-2023-2608
The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including,…
2023-02-17
High
CVE-2023-0895
The WP Coder – add custom html, css and js code plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escap…
2022-09-29
High
CVE-2021-45788
Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.
2022-09-26
Critical
CVE-2022-30004
Sourcecodester Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection..
2022-09-16
Critical
CVE-2022-26959
There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the pro…
2022-08-02
Critical
CVE-2022-34956
Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection vulnerability via the page_size parameter at load_data_for_groups.php.
Critical
CVE-2022-34955
Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection vulnerability via the page_size parameter at load_data_for_topusers.php.
2022-03-10
Medium
CVE-2021-43969
The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections. Exploitation can be used to di…
2022-02-18
Critical
CVE-2021-46110
Online Shopping Portal v3.1 was discovered to contain multiple time-based SQL injection vulnerabilities via the email and contactno parameters.
2022-01-28
Critical
CVE-2021-44249
Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials.
2021-11-08
High
CVE-2021-28022
Blind SQL injection in the login form in ServiceTonic Helpdesk software < 9.0.35937 allows attacker to exfiltrate information via specially crafted HQL-compatible time-based SQL queries.
2021-10-27
Medium
CVE-2021-37806
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Bas…
2021-09-15
Critical
CVE-2020-21121
Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.
2021-07-30
High
CVE-2021-36621
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin passwo…
2021-04-23
High
CVE-2021-25899
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable par…
2021-04-05
Medium
CVE-2021-24185
The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploite…
Medium
CVE-2021-24181
The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could b…
2020-12-21
High
CVE-2020-35151
The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection.
2020-12-17
Critical
CVE-2020-35545
Time-based SQL injection exists in Spotweb 1.4.9 via the query string.
2020-10-16
Critical
CVE-2020-26944
An issue was discovered in Aptean Product Configurator 4.61.0000 on Windows. A Time based SQL injection affects the nameTxt parameter on the main login page (aka cse?cmd=LOGIN). This can be exploited…
2020-07-09
High
CVE-2020-13993
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A blind time-based SQL injection issue allows remote unauthenticated attackers to retrieve information from the database via a ticket.
2020-03-24
High
CVE-2019-20613
An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. There is time-based SQL injection in Contacts. The Samsung ID is SVE-2018-13452 (March 2019).
2020-02-11
High
CVE-2020-8596
participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy pa…
2019-08-17
High
CVE-2019-14937
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a…
2019-03-26
High
CVE-2019-9053
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
2019-02-07
Critical
CVE-2019-7585
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/PublicAction.class.php allows time-based SQL Injection via the param array parameter to the /index.php?m=public&a=checkemail URI.
2018-03-28
High
CVE-2018-8820
An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is…
2017-11-07
Critical
CVE-2017-16561
/view/friend_profile.php in Ingenious School Management System 2.3.0 is vulnerable to Boolean-based and Time-based SQL injection in the 'friend_index' parameter of a GET request.