CWE-89

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via update_customer.php.

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=search&s=recipients.

Food Ordering Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /foms/all-orders.php?status=Cancelled%20by%20Customer.

Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the ‘id’ parameter in the ‘appCore/index.php?r=adm/mediagallery/delete’ function in order to dump the entire database or delete all contents from the ‘core_user_file’ table.

Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the ‘dyn_filter’ parameter in the ‘appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata’ function in order to dump the entire database.