Vulnerabilities and security researches forelisqlreports elisqlreports

Jun 07, 2024

CVE, Research URL: 01aaecbc-6aae-4a33-ac00-1b14b34f4c71
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: -
Research Description: EZ SQL Reports Shortcode Widget and DB Backup [elisqlreports] < 4.11.37 EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary Code Execution There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql".
Affected versions: Min -, max -.
Status: vulnerable

Feb 25, 2025

CVE, Research URL: CVE-2025-26887
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: Feb 25, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup allows Stored XSS. This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through 5.21.35.
Affected versions: Min -, max -.
Status: vulnerable

Mar 26, 2025

CVE, Research URL: CVE-2025-2319
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: Mar 25, 2025
Research Description: The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrect nonce validation on the 'ELISQLREPORTS_menu' function. This makes it possible for unauthenticated attackers to execute code on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Version 5.25.10 adds a nonce check, which makes this vulnerability exploitable by admins only.
Affected versions: Min -, max -.
Status: vulnerable

Apr 02, 2025

CVE, Research URL: CVE-2025-30788
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: Mar 27, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup allows SQL Injection. This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through 5.25.08.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-30787
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: Mar 27, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup allows Stored XSS. This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through 5.25.08.
Affected versions: Min -, max -.
Status: vulnerable

Jul 01, 2025

CVE, Research URL: CVE-2025-6462
Home page URL: Security reports for EZ SQL Reports Shortcode Widget and DB Backup
Application: EZ SQL Reports Shortcode Widget and DB Backup
Date: Jun 29, 2025
Research Description: The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable