PHP

Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.

Missing authorization in CRMEB crontab endpoints (versions up to 5.6.3) allows unauthenticated remote attackers to manipulate unspecified functionality through the CrontabController.php file. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. [CVSS 5.3 MEDIUM]

The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. [CVSS 5.3 MEDIUM]

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. [CVSS 5.3 MEDIUM]

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. [CVSS 8.8 HIGH]

PsySH versions prior to 0.11.23 and 0.12.19 automatically execute a `.psysh.php` file from the current working directory during startup, allowing local attackers with write access to a directory to achieve arbitrary code execution when a user launches PsySH from that location. When a privileged user such as root or a CI runner executes PsySH in an attacker-controlled directory, this results in local privilege escalation. Public exploit code exists for this vulnerability and no patch is currently available.

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

Unauthenticated command injection in DokuWiki runcommand plugin via lib/plugins/runcommand. Allows arbitrary system command execution.

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated users to manipulate the group_id parameter in the user management component, potentially gaining unauthorized access to restricted functionality. An attacker with valid credentials can exploit this remotely, and public exploit code is already available. The vulnerability currently lacks a patch from the vendor.

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /enrollment/index.php enables unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against affected installations.

House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin/index.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

Unauthenticated RCE in Tea LaTeX 1.0 via command injection in /api endpoint. EPSS 0.29% with PoC available.

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. [CVSS 8.8 HIGH]

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. [CVSS 8.2 HIGH]

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. [CVSS 7.1 HIGH]

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.

Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. [CVSS 6.5 MEDIUM]

PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. [CVSS 8.4 HIGH]

SQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by exploiting PHP type juggling that bypasses integer validation checks. Public exploit code exists for this vulnerability affecting EGroupware versions prior to 23.1.20260113 and 26.0.20260113, and no patch is currently available. Attackers with valid credentials can manipulate WHERE clauses to extract sensitive data, modify records, or compromise database integrity.

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.

The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]

The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]

The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]

Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.

Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.

Mobile Shop Management System has code injection in ExAddNewUser.php.

Mobile Shop Management System has SQL injection in ExLogin.php.

Mobile Shop Management System has SQL injection in insertmessage.php.

Computer Book Store v1.0 has file upload in admin_add.php.

Mobile Shop Management System has file upload enabling web shell deployment.

Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.

Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).

HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.

Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.

Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.

A vulnerability has been found in iJason-Liu Books_Manager versions up to 298 is affected by cross-site scripting (xss) (CVSS 2.4).

SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.

Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.

SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]

The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).

WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]