PHP

RCE in Chevereto 3.13.4 image hosting via code injection during database configuration. Allows injecting code during installation/setup. PoC available.

Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).

login.php contains a vulnerability that allows attackers to access the dashboard without valid credentials (CVSS 6.5).

MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, where files are moved to a web-accessible directory before security checks are performed. An authenticated attacker can exploit the time window between file placement and validation deletion to execute malicious PHP code on the server. Public exploit code exists for this vulnerability.

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.

Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]

Unrestricted file upload in DouPHP versions up to 1.9 allows remote attackers with administrative privileges to bypass upload restrictions via manipulation of the sql_filename parameter in the ZIP File Handler component. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in the News Portal Project 1.0 administrator login interface allows unauthenticated remote attackers to manipulate the email parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could exploit this to extract sensitive data, modify database contents, or potentially escalate privileges within the application.

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the assessment module allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

SQL injection in the login component of code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based installations of the Online Reviewer System. An attacker can exploit this to extract sensitive data, modify database contents, or potentially gain unauthorized system access.

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/btn_functions.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in itsourcecode Event Management System 1.0 via the ID parameter in /admin/manage_user.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, putting all affected installations at immediate risk.

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

Unrestricted file upload in Online Music Site 1.0's AdminAddAlbum.php allows authenticated administrators with high privileges to upload arbitrary files via the txtimage parameter. Public exploit code exists for this vulnerability, enabling remote attackers to potentially execute malicious code or compromise the application. The affected component impacts both the PHP runtime and the vulnerable web application, with no patch currently available.

SQL injection in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in AdminEditCategory.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in the user deletion function, potentially leading to unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations vulnerable to active exploitation.

SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/loaddata.php allows remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could result in unauthorized data access, modification, or deletion within the application database.

SQL injection in code-projects Online Reviewer System 1.0 allows remote attackers to manipulate the test_id parameter in the exam-delete.php file, enabling unauthorized database access and modification without authentication. The vulnerability has public exploit code available and currently lacks a patch, posing an immediate risk to unpatched installations. Affected organizations using this system should prioritize mitigation strategies while awaiting official remediation.

SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the exam-update.php endpoint, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the questions-view.php file allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at active risk.

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/user/controller.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement alternative mitigations or restrict access to vulnerable systems.

SQL injection in itsourcecode School Management System 1.0 allows unauthenticated remote attackers to manipulate the 'ay' parameter in /ramonsys/report/index.php, potentially enabling data exfiltration, modification, or service disruption. Public exploit code exists for this vulnerability and no patch is currently available, creating immediate risk for deployed instances.

OS command injection in Great Developers Certificate Generation System's CSV processing functionality allows unauthenticated remote attackers to execute arbitrary system commands through the photo parameter in /restructured/csv.php. Public exploit code exists for this vulnerability, and no patch is currently available, affecting systems using the abandoned project with a rolling release model.

Unrestricted file upload in Great Developers Certificate Generation System's CSV processing endpoint allows authenticated attackers to upload arbitrary files remotely. Public exploit code exists for this vulnerability, though no patch is available and the project is no longer actively maintained. The vulnerability affects PHP-based certificate generation functionality with medium severity (CVSS 6.3).

SQL injection in PHPGurukul Hospital Management System 4.0's user management interface allows remote attackers with administrative privileges to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level credentials but poses risks to data confidentiality, integrity, and availability within affected hospital deployments.

SQL injection in code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the username and password parameters in login.php, potentially enabling unauthorized access to sensitive data or system compromise. The vulnerability requires no user interaction and can be exploited over the network with low complexity. No patch is currently available for this issue.

Online Application System For Admission versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in the login function of code-projects Online Student Management System 1.0 allows unauthenticated attackers to manipulate username and password parameters in accounts.php, enabling unauthorized data access, modification, and potential service disruption. Public exploit code is available for this vulnerability, increasing exploitation risk. No patch is currently available.

SQL injection in the Online Reviewer System 1.0 login function allows unauthenticated remote attackers to manipulate username and password parameters, potentially enabling unauthorized database access and data modification. With public exploit code available and no patch released, this vulnerability poses an immediate risk to deployed instances.

Detronetdip E-commerce 1.0.0 contains an authentication bypass vulnerability in the seller account creation endpoint that allows unauthenticated remote attackers to manipulate the email parameter and gain unauthorized access. The vulnerability affects PHP-based e-commerce installations and has public exploit code available, though no patch is currently available from the vendor.

Unrestricted file upload in detronetdip E-commerce 1.0.0 via the /seller/assets/backend/profile/addadhar.php endpoint allows unauthenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

SQL injection in the News Portal Project 1.0 admin panel (/admin/aboutus.php) allows authenticated attackers with high privileges to manipulate the pagetitle parameter and execute arbitrary SQL queries, potentially compromising database integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid administrative credentials but no user interaction.

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the email parameter in /admin/forget-password.php and execute arbitrary database queries. Public exploit code exists for this vulnerability and no patch is currently available. An attacker can leverage this to extract sensitive data or modify database contents with minimal complexity.

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

SQL injection in the Student Web Portal 1.0 /check_user.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. The vulnerability enables attackers to read, modify, or delete sensitive data with public exploit code readily available. This affects PHP-based installations of the Student Web Portal with no patch currently available.

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Unauthenticated remote attackers can execute arbitrary OS commands on D-Link DIR-615 4.10 routers through manipulated routing parameters in the web configuration interface, requiring only network access and no user interaction. Public exploit code is available for this vulnerability, and D-Link has not released a patch for the end-of-life device.

Remote code execution in D-Link DIR-615 firmware through os command injection via the dmz_ipaddr parameter in the DMZ Host Feature allows authenticated attackers to execute arbitrary commands with high privileges. Public exploit code exists for this vulnerability, which affects unsupported product versions with no available patch. The attack requires high-level authentication but can be launched over the network without user interaction.

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Online Food Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHPGurukul Hospital Management System 4.0 contains a SQL injection vulnerability in the doctor management interface that allows authenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with administrative credentials could potentially extract or modify sensitive hospital data.

Unrestricted file upload in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to upload arbitrary files by manipulating the txtimage parameter. Public exploit code exists for this vulnerability, enabling potential remote code execution and system compromise. A security patch is not currently available, leaving affected installations vulnerable to active exploitation.

SQL injection in Online Music Site 1.0's AdminUpdateCategory.php allows unauthenticated remote attackers to manipulate the txtcat parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, with no patch currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]

Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.

SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the activity_id parameter in /admin/edit_activity.php, enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in itsourcecode Society Management System 1.0's expense editing functionality allows unauthenticated remote attackers to manipulate the expenses_id parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables attackers to access, modify, or delete sensitive financial data with minimal complexity.

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the expenses_id parameter in /admin/delete_expenses.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

SQL injection in itsourcecode Society Management System 1.0 through the admin_id parameter in /admin/edit_admin.php allows unauthenticated remote attackers to manipulate the database. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk of data compromise.

Unsafe deserialization in yuan1994 tpadmin versions up to 1.3.12 allows remote attackers to execute arbitrary code via the WebUploader preview.php component without authentication. Public exploit code exists for this vulnerability, and affected installations running unsupported versions face immediate risk. The flaw enables complete system compromise with no patch available from the maintainer.

A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This pro...

Online Class Record System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SourceCodester Online Class Record System 1.0 contains a SQL injection vulnerability in the subject controller that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could enable unauthorized data access, modification, or system compromise.

SQL injection in PHPGurukul Beauty Parlour Management System 1.1 via the delid parameter in /admin/accepted-appointment.php enables remote attackers to manipulate database queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems at active risk.

SQL injection in SourceCodester Online Class Record System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /admin/login.php, potentially enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in the /delete_post.php endpoint of code-projects Social Networking Site 1.0 allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could leverage this to read, modify, or delete sensitive data within the application's database.

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. [CVSS 7.1 HIGH]

AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents. [CVSS 8.2 HIGH]

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. [CVSS 3.5 LOW]

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization.