MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2026-52715 | Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions. | 9.3 | 0.40% | 2026-06-16 | 2026-06-16 |
| CVE-2026-52712 | Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions. | 7.6 | 0.31% | 2026-06-16 | 2026-06-16 |
| CVE-2026-49772 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2. | 9.3 | 0.40% | 2026-06-16 | 2026-06-16 |
| CVE-2026-39581 | Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. | 8.5 | 0.36% | 2026-06-16 | 2026-06-16 |
| CVE-2026-39574 | Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions. | 9.3 | 0.40% | 2026-06-16 | 2026-06-16 |
| CVE-2026-8444 | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attacker | 8.8 | 0.25% | 2026-06-16 | 2026-06-16 |
| CVE-2026-8443 | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the con | 8.8 | 0.25% | 2026-06-16 | 2026-06-16 |
| CVE-2026-52700 | Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions. | 8.5 | 0.35% | 2026-06-15 | 2026-06-15 |
| CVE-2026-52697 | Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions. | 8.5 | 0.35% | 2026-06-15 | 2026-06-15 |
| CVE-2026-52693 | Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | 9.3 | 0.30% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49776 | Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions. | 9.3 | 0.29% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49067 | Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions. | 9.3 | 0.30% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48964 | Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions. | 8.5 | 0.33% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48886 | Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions. | 9.3 | 0.28% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48882 | Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions. | 8.5 | 0.33% | 2026-06-15 | 2026-06-15 |
| CVE-2026-48874 | Subscriber SQL Injection in GamiPress <= 7.8.7 versions. | 8.5 | 0.33% | 2026-06-15 | 2026-06-15 |
| CVE-2026-45439 | Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | 9.3 | 0.29% | 2026-06-15 | 2026-06-15 |
| CVE-2026-42665 | Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions. | 9.3 | 0.28% | 2026-06-15 | 2026-06-15 |
| CVE-2026-42639 | Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. | 9.3 | 0.28% | 2026-06-15 | 2026-06-15 |
| CVE-2026-42386 | Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. | 9.3 | 0.28% | 2026-06-15 | 2026-06-15 |