PHP
Monthly
SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.
### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.
Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.
Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.
Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.
Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.
Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.
XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.
Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.
Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.
Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.
Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.
Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.
Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.
Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.
Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.
Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.
Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.
Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.
Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.
Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `)` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.
Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.
Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.
Formula injection in Kimai 2.27.0 through 2.53.0 allows authenticated users with ROLE_USER to create tags containing formula strings (e.g., =SUM(54+51)) via the POST /api/tags endpoint. When administrators export timesheets to XLSX format, the ArrayFormatter joins tag names without sanitization, and OpenSpout automatically promotes formula-prefixed strings to FormulaCell objects. Excel or LibreOffice Calc evaluates these formulas when the exported file is opened, enabling code execution on any workstation that imports and opens the poisoned spreadsheet. Publicly available exploit code demonstrates the attack via normal user account and admin export workflow.
Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.
DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.
Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.
Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.
Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.
Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.
Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.
SQL injection in itsourcecode Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact to confidentiality, integrity, and availability. The vulnerability has a publicly available proof-of-concept and is characterized by low CVSS score (2.1) due to authentication requirement and limited scope, but SQL injection itself represents a persistent threat vector if the system processes sensitive courier data.
EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.
Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.
Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.
SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.
Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.
Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.
Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.
Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the `/backend/themes/delete-process/` endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.
Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.
Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.
SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.
Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.
Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.
SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.
SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.
Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.
Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.
SQL injection in AMTT Hotel Broadband Operation System 1.0 allows authenticated remote attackers with high privileges to manipulate the ID argument in /manager/card/cardhand_submit.php, potentially extracting or modifying database contents. Publicly available exploit code exists, though the CVSS score of 4.7 reflects the requirement for authenticated administrative access, limiting real-world impact compared to unauthenticated SQL injection vulnerabilities.
Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.
SQL injection in Dolibarr ERP CRM up to version 23.0.2 allows authenticated remote attackers to execute arbitrary SQL queries via the fields parameter in the Shipments API Endpoint (_checkValForAPI function). Exploitation requires high attack complexity and authenticated access, with publicly available exploit code confirmed but no active exploitation reported in CISA KEV at time of analysis.
SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.
InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.
Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.
Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.
SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.
Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.
Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.
Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.
Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.
Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.
Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.
SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.
Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.
Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.
Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.
SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.
SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.
Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.
SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.
SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.
V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.
Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.
Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.
SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.
### Summary The `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed - including directories located outside the project root through `../` traversal. ### Affected code `flight/commands/ControllerCommand.php` (≈ 63-66): ```php if (is_dir(dirname($controllerPath)) === false) { $io->info('Creating directory ' . dirname($controllerPath), true); mkdir(dirname($controllerPath), 0755, true); // un-normalized, runs before validation } ``` ### Proof of concept ``` $ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn' Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name. $ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST (directory exists - created before the exception was thrown) ``` ### Impact - **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container). - Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness). - On Windows, the `\` separator opens additional traversal surface. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) The controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs. ### Credit Discovered by **@Rootingg**.
Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.
Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.
Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.
Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.
Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. Vendor-released patch available in version 1.0.8.2 per GitHub security advisory GHSA-wwmv-4g9g-p48g and commit 54a9e846. VulnCheck advisory provides detailed technical analysis of the bypass technique.
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.
XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.
Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.
Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.
Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.
Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.
Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.
Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.
Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.
Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.
Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.
Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.
Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.
Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.
Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `)` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.
Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.
Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.
Formula injection in Kimai 2.27.0 through 2.53.0 allows authenticated users with ROLE_USER to create tags containing formula strings (e.g., =SUM(54+51)) via the POST /api/tags endpoint. When administrators export timesheets to XLSX format, the ArrayFormatter joins tag names without sanitization, and OpenSpout automatically promotes formula-prefixed strings to FormulaCell objects. Excel or LibreOffice Calc evaluates these formulas when the exported file is opened, enabling code execution on any workstation that imports and opens the poisoned spreadsheet. Publicly available exploit code demonstrates the attack via normal user account and admin export workflow.
Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.
DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.
Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.
Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.
Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.
Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.
Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.
SQL injection in itsourcecode Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact to confidentiality, integrity, and availability. The vulnerability has a publicly available proof-of-concept and is characterized by low CVSS score (2.1) due to authentication requirement and limited scope, but SQL injection itself represents a persistent threat vector if the system processes sensitive courier data.
EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.
Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.
Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.
SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.
Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.
Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.
Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.
Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the `/backend/themes/delete-process/` endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.
Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.
Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.
SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.
Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.
Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.
SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.
SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.
Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.
Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.
SQL injection in AMTT Hotel Broadband Operation System 1.0 allows authenticated remote attackers with high privileges to manipulate the ID argument in /manager/card/cardhand_submit.php, potentially extracting or modifying database contents. Publicly available exploit code exists, though the CVSS score of 4.7 reflects the requirement for authenticated administrative access, limiting real-world impact compared to unauthenticated SQL injection vulnerabilities.
Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.
SQL injection in Dolibarr ERP CRM up to version 23.0.2 allows authenticated remote attackers to execute arbitrary SQL queries via the fields parameter in the Shipments API Endpoint (_checkValForAPI function). Exploitation requires high attack complexity and authenticated access, with publicly available exploit code confirmed but no active exploitation reported in CISA KEV at time of analysis.
SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.
InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.
Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.
Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.
SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.
Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.
Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.
Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.
Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.
Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.
Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.
SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.
Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.
Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.
Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.
SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.
SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.
Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.
SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.
SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.
V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.
Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.
Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.