PHP

Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.

Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.

phpseclib's SSH2 packet authentication uses PHP's non-constant-time != operator to compare HMACs, enabling timing-based information disclosure attacks on SSH sessions. The vulnerability affects phpseclib versions prior to 1.0.28, 2.0.53, and 3.0.51. An unauthenticated remote attacker can exploit variable-time comparison behavior to infer valid HMAC values through precise timing measurements, potentially compromising the confidentiality of SSH communications. No public exploit code or active exploitation has been confirmed, but this is a cryptographic timing vulnerability with proven scalability via benchmarking.

Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. The vulnerability enables authenticated attackers to achieve full server compromise through unrestricted arbitrary file write capabilities. No public exploit identified at time of analysis.

Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). Attack requires low-privilege teacher account but no user interaction. No public exploit identified at time of analysis.

OS command injection in Chamilo LMS 1.x (prior to 1.11.38) and 2.0.0-RC.x (prior to RC.3) allows authenticated teacher-role users to execute arbitrary system commands via unsanitized file path parameters. The move() function in fileManage.lib.php concatenates user-controlled move_to POST values directly into exec() shell commands without proper escaping. Any authenticated user can exploit this by creating a course (enabled by default), uploading a directory with shell metacharacters via Course Backup Import, then moving a document to trigger command execution as www-data. No public exploit identified at time of analysis.

Insecure Direct Object Reference in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated users enrolled in a course to manipulate arbitrary Learning Path progress data for other users. The lp_ajax_save_item.php endpoint accepts a uid parameter without ownership validation, enabling attackers to overwrite scores, completion status, and time tracking for any enrolled user by modifying the request parameter. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated network-based exploitation with high integrity impact.

Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.

Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.

Path traversal in Chamilo LMS main/exercise/savescores.php enables authenticated attackers to delete arbitrary files on the server. Vulnerable versions prior to 1.11.38 fail to sanitize the 'test' parameter from $_REQUEST, allowing directory traversal sequences to escape intended paths and target critical system or application files. Attackers with low-level authenticated access can exploit this remotely without user interaction, resulting in high integrity and availability impact through targeted file deletion.

Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.

Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.

SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.

Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ServiceAndSalesReport.php. The vulnerability requires user interaction (UI:P) but no authentication, with publicly available exploit code disclosed. CVSS 5.3 reflects moderate severity with integrity impact limited to confidentiality of user sessions rather than data modification.

Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and while the CVSS score of 5.3 is moderate, the low integrity impact combined with user interaction requirement limits practical risk, though XSS vulnerabilities remain routinely exploitable in real-world scenarios.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.

Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the serviceId parameter in /checkcheckout.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and the low CVSS score of 4.3 reflects the need for user click-through and limited scope (integrity impact only), though the attack vector is network-accessible and requires no special privileges or authentication.

SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).

Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.

SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.

Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.

Improper access control in UsersWP plugin for WordPress versions up to 1.2.58 allows authenticated subscribers and above to manipulate restricted user metadata fields via the upload_file_remove() AJAX handler, bypassing field-level permissions intended to restrict modifications to administrator-only fields. The vulnerability stems from insufficient validation of the $htmlvar parameter against allowed fields or admin-use restrictions, enabling attackers to clear or reset sensitive usermeta columns on their own user records.

Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.

Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.

Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.

Authenticated attackers with Contributor-level or higher access to WordPress sites using the Download Manager plugin (versions up to 3.3.51) can strip protection metadata from any media file, including those they do not own, by exploiting a missing capability check in the makeMediaPublic() and makeMediaPrivate() functions. This allows unauthorized modification of access restrictions, passwords, and private flags on media files, exposing admin-protected content via direct URLs. The vulnerability is non-critical (CVSS 4.3) but represents a privilege escalation and data integrity issue requiring authenticated access.

Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.

WP-Optimize plugin for WordPress allows authenticated subscribers and higher to execute admin-only operations including log file access, backup image deletion, and bulk image processing due to missing capability checks in the Heartbeat handler function. The vulnerability affects all versions up to 4.5.0 and requires user authentication but no elevated privileges, enabling privilege escalation from subscriber-level accounts to perform administrative image optimization tasks that should be restricted to site administrators.

Unauthenticated attackers can bypass authentication in Customer Reviews for WooCommerce plugin versions up to 5.103.0 by submitting an empty string as the review permission key, allowing them to create, modify, and inject malicious product reviews via the REST API without any legitimate order association. The vulnerability exploits improper key validation using strict equality comparison without checking for empty values, combined with auto-approval of reviews by default, enabling widespread review injection across all products on affected WooCommerce installations.

A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.

A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.

A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.

PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.

SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.

itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.

Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.

CSRF vulnerability in Dockyard prior to 1.1.0 allows unauthenticated remote attackers to start or stop Docker containers by tricking a logged-in administrator into clicking a malicious link, since container control endpoints accept GET requests without CSRF token validation. An attacker can disrupt service availability or trigger unintended container state changes without authentication credentials. No active exploitation or public exploit code has been confirmed.

SQL injection in code-projects Simple IT Discussion Forum 1.0 via /crud.php allows unauthenticated remote attackers to extract, modify, or delete database content through the user_Id parameter. The vulnerability permits unauthorized data access and integrity compromise with publicly available exploit code. No CISA KEV listing exists, but exploit code is publicly available.

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.

SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the post_id parameter in /topic-details.php. Successful exploitation enables unauthorized database access, data manipulation, and potential information disclosure. Publicly available exploit code exists. The CVSS vector indicates network-based attack with low complexity, no authentication required, enabling compromise of confidentiality, integrity, and availability at low impact levels across all vectors.

Cross-site scripting (XSS) in ChurchCRM prior to 7.1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript through the EName and EDesc parameters in EditEventAttendees.php, which is rendered without proper output encoding. Successful exploitation requires user interaction (UI:P) and results in session hijacking, credential theft, or malware distribution to victims' browsers. No public exploit code or active exploitation has been identified at time of analysis.

Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.

Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.

Unauthorized access to directories in Hydrosystem Control System versions prior to 9.8.5 allows unauthenticated remote attackers to read arbitrary files and execute PHP scripts directly against the connected database. Missing authorization enforcement on specific directories enables direct file access and code execution without authentication, creating critical exposure for database manipulation and data exfiltration. No public exploit identified at time of analysis.

SQL injection in PHPGurukul News Portal Project 4.1 allows authenticated remote attackers to manipulate the Username parameter in /admin/check_availability.php, enabling data exfiltration and potential database modification. The vulnerability requires high-privilege administrative access; publicly available exploit code exists and may be actively used in attacks.

SQL injection in PHPGurukul News Portal Project 4.1 allows authenticated remote attackers with high privileges to manipulate the sucatdescription parameter in /admin/add-subcategory.php, enabling unauthorized database query execution with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists and the CVSS vector indicates proof-of-concept availability (E:P), though this is a low-severity vulnerability (CVSS 4.7) constrained by high administrative privilege requirements.

SQL injection in PHPGurukul News Portal Project 4.1 allows remote authenticated administrators to execute arbitrary SQL queries via the sadminusername parameter in /admin/add-subadmins.php. The vulnerability is publicly disclosed with exploit code available, though exploitation requires high-privilege admin access (PR:H) and carries low to moderate real-world risk despite a CVSS score of 4.7.

Stored Cross-Site Scripting in UsersWP WordPress plugin up to version 1.2.60 allows authenticated subscribers and above to inject arbitrary JavaScript into user profile badge widgets via insufficiently sanitized URL fields, executing malicious scripts for all site visitors viewing affected pages. The vulnerability affects the badge widget rendering component due to improper output escaping in the wp-ayecode-ui library integration. No public exploit code or active exploitation has been identified, though the low attack complexity and subscriber-level access requirement make this a realistic threat in multi-user WordPress environments.

Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.

Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. Attackers can retrieve the sync code via unsecured endpoints, upload malicious PHP files using path traversal techniques, and achieve full server compromise without authentication. CVSS 9.8 critical severity. No public exploit identified at time of analysis.

SQL injection in PHPGurukul News Portal Project 4.1 allows unauthenticated remote attackers to extract, modify, or delete database contents through the Comment parameter in /news-details.php. CVSS 7.3 severity with network-accessible attack vector requiring no authentication or user interaction. Publicly available exploit code exists. Attackers can compromise confidentiality, integrity, and availability of application data through crafted SQL payloads in comment submission functionality.

Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated attackers with high privileges to inject malicious scripts via the product_name parameter in /admin/admin_football.php, requiring user interaction to execute. The vulnerability has publicly available exploit code and a CVSS score of 2.4, reflecting the requirement for high-privilege authentication and user interaction, though the low EPSS probability and lack of CISA KEV listing suggest limited real-world exploitation despite POC availability.

Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).

Authenticated subscribers and above in WordPress sites using MStore API plugin up to version 4.18.3 can modify arbitrary user meta fields on their own accounts, including legacy privilege escalation keys like wp_user_level and plugin-specific authorization flags, potentially leading to privilege escalation or stored XSS. The vulnerability stems from the update_user_profile() function accepting unsanitized, user-supplied meta_data JSON without allowlist or validation before passing it directly to update_user_meta(). No public exploit code or active exploitation has been identified at this time.

Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.

Stored Cross-Site Scripting in OSM - OpenStreetMap WordPress plugin versions up to 6.1.15 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through insufficiently sanitized 'marker_name' and 'file_color_list' shortcode attributes in [osm_map_v3], executing malicious scripts whenever users access affected pages. CVSS 6.4 reflects moderate severity with cross-site impact; exploitation requires valid WordPress user credentials but no user interaction beyond page access.

Stored cross-site scripting in Download Manager for WordPress up to version 3.3.52 allows authenticated contributors and above to inject arbitrary JavaScript through the 'sid' parameter of the 'wpdm_members' shortcode, which is stored in post metadata and executed when users access the affected page. The vulnerability stems from missing input sanitization in the members() function and absent output escaping (esc_attr()) when the 'sid' value is rendered directly into HTML id attributes. EPSS score indicates moderate-to-high exploitation probability; no active exploitation in CISA KEV has been confirmed at time of analysis.

Ziggeo plugin for WordPress up to version 3.1.1 allows authenticated attackers with Subscriber-level access or above to perform unauthorized administrative operations including modifying translations, creating or deleting event templates, changing SDK settings, and managing notifications through missing capability checks in AJAX handlers. While nonce validation is present, the absence of current_user_can() checks combined with nonce exposure to all logged-in users enables privilege escalation from basic subscribers to near-administrative functionality. CVSS 5.4 reflects moderate impact with low complexity exploitability.

Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the post_id parameter in /pages/content.php. Publicly available exploit code exists. The vulnerability enables unauthorized database access with low complexity, requiring no user interaction. Attack achieves limited confidentiality, integrity, and availability impact across the vulnerable application.

SQL injection in Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via crafted postid parameter in /functions/addcomment.php. Publicly available exploit code exists. CVSS 7.3 indicates network-accessible attack requiring no user interaction, achieving partial confidentiality, integrity, and availability impact. Vulnerability disclosed with proof-of-concept on GitHub.

SQL injection in Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'content' parameter in /question-function.php, enabling unauthorized database access, data exfiltration, and potential manipulation of stored records. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with no authentication required, compromising confidentiality, integrity, and availability at low impact levels.

Cross-site scripting (XSS) vulnerability in code-projects Simple IT Discussion Forum 1.0 allows remote attackers to inject malicious scripts via the Category parameter in /edit-category.php. The vulnerability requires user interaction (reflected XSS) but has a low CVSS base score of 4.3; however, publicly available exploit code exists, increasing practical risk for unpatched installations.

SQL injection in code-projects Simple Laundry System 1.0 allows remote unauthenticated attackers to manipulate the userid parameter in /userchecklogin.php, enabling arbitrary SQL query execution with potential impact on data confidentiality, integrity, and availability. CVSS 6.9 reflects low-impact confidentiality, integrity, and availability effects without lateral propagation; exploit code is publicly available, increasing practical risk despite moderate CVSS scoring.

SQL injection in itsourcecode Construction Management System 1.0 via the Home parameter in /borrowed_tool_report.php allows authenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. The vulnerability has a public exploit and CVSS score of 5.3, making it a moderate-severity issue requiring authentication but presenting real exploitation risk given POC availability.

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /delmemberinfo.php, compromising user session integrity and enabling credential theft or malware distribution. The vulnerability requires user interaction (CVSS UI:R) but carries a CVSS score of 4.3 (low severity). Publicly available exploit code exists and the attack vector is network-accessible with no authentication required (AV:N, PR:N).

Reflected cross-site scripting in LimeSurvey prior to version 6.15.11+250909 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL containing an unsanitized gid parameter passed to the getInstance() function in QuestionCreate.php. The vulnerability requires user interaction (clicking a crafted link) but affects logged-in users and can lead to session hijacking, credential theft, or malicious actions performed on behalf of the victim. No public exploitation has been confirmed at time of analysis, though proof-of-concept code is publicly available.

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.

SQL injection in PHPGurukul Online Course Registration 3.1 allows unauthenticated remote attackers to manipulate the cid parameter in /check_availability.php to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS scoring.

Unauthenticated remote attackers can manipulate the txtqty POST parameter in SourceCodester Pharmacy Product Management System 1.0's add-sales.php to trigger business logic errors and cause data integrity violations. The vulnerability affects an unknown component of the POST parameter handler and allows modification of sales quantity values, resulting in integrity and availability impacts. Publicly available exploit code exists, and the flaw requires user authentication but is trivially exploitable with low attack complexity.

SourceCodester Online Food Ordering System 1.0 allows authenticated remote attackers to manipulate product pricing through the save_product function in Actions.php, leading to business logic errors including potential negative or arbitrary price values. The vulnerability affects the POST parameter handler and carries a CVSS score of 5.3 with publicly available exploit code; while not in CISA's KEV catalog, the public exploit availability and disclosure via vuldb indicate real-world exposure.

SQL injection in PHPGurukul Online Course Registration 3.1 allows remote unauthenticated attackers to manipulate the regno parameter in /admin/check_availability.php, enabling arbitrary database queries with potential for data exfiltration and modification. The vulnerability has a publicly available exploit and CVSS 6.9 score indicating moderate severity with confirmed data confidentiality and integrity impact.

Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /delete.php, which are executed in the context of other users' browsers when they interact with the affected page. The vulnerability requires user interaction (clicking a malicious link) but has a published proof-of-concept and CVSS 5.1 score reflecting moderate impact on data integrity; exploitation is confirmed possible but not currently in CISA KEV.

Stored cross-site scripting (XSS) in code-projects Easy Blog Site 1.0 allows authenticated remote attackers to inject malicious scripts via the postTitle parameter in /posts/update.php, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (UI:P) and authentication (PR:L), but carries published exploit code and a moderate CVSS score of 5.1, indicating practical exploitation risk in multi-user blog environments.

Remote code execution via SQL injection in code-projects Easy Blog Site up to version 1.0 allows unauthenticated attackers to manipulate the Name parameter in /users/contact_us.php, leading to arbitrary SQL command execution. The vulnerability has a CVSS score of 6.9 with network-based attack vector and low complexity, and publicly available exploit code exists, making this an immediate concern for affected deployments.

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

Wimi Teamwork On-Premises versions before 8.2.0 allow authenticated attackers to enumerate sequential item_id values in the preview.php endpoint to bypass authorization checks and access image previews from other users' private or group conversations, resulting in unauthorized information disclosure. The vulnerability requires valid user credentials (CVSS PR:L) but enables horizontal privilege escalation to retrieve sensitive conversation data. No public exploit code has been identified, though the IDOR vulnerability pattern is straightforward to exploit.

Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.

Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5.

Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.

Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.

Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.

Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.