CWE-89

The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.

The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the “order” and “orderby” GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues

The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the “orderby” GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue