PHP

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2. [CVSS 8.1 HIGH]

Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29. [CVSS 8.1 HIGH]

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1. [CVSS 8.1 HIGH]

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5. [CVSS 8.8 HIGH]

News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.

Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) that allows unauthenticated attackers to execute arbitrary remote PHP code on the server.

adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing attackers to include malicious remote PHP files for unauthenticated code execution.

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) enabling unauthenticated remote code execution through crafted include paths.

WP Learn SQL Injection allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, exposing all stored data.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. [CVSS 8.8 HIGH]

LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing unauthenticated attackers to include and execute arbitrary remote PHP files on the server.

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted submissions exported to spreadsheets.

SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. [CVSS 7.1 HIGH]

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. [CVSS 7.2 HIGH]

Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

Revive Adserver contains an authorization flaw in the tracker deletion function that permits authenticated users to delete trackers belonging to other accounts. An attacker with valid credentials can exploit this access control bypass to remove tracking objects outside their administrative scope, potentially disrupting competitor or other user operations. No patch is currently available for this vulnerability.

HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. [CVSS 2.7 LOW]

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]

The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]

The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]

The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]

Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

Authentication bypass in CRMEB up to version 5.6.3 allows unauthenticated remote attackers to manipulate the openId parameter in the Apple login function, gaining unauthorized access without valid credentials. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The flaw affects the LoginController.php authentication mechanism and carries a CVSS score of 7.3 with confirmed impact to confidentiality, integrity, and availability.

Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).

Online Store Management System versions up to 1.01 contains a vulnerability that allows attackers to command injection (CVSS 7.3).

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /subject/index.php allows unauthenticated remote attackers to query, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against vulnerable instances.

Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.

HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authenticated users to execute arbitrary code on the server through crafted submissions.

SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit.

PHPGurukul Directory Management System 1.0 contains a SQL injection vulnerability in the search functionality of /index.php that allows unauthenticated remote attackers to manipulate the searchdata parameter and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The vulnerability impacts confidentiality, integrity, and availability with a CVSS score of 7.3.

Online Frozen Foods Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHPGurukul News Portal 1.0 contains an authorization bypass in the /admin/add-subadmins.php component that allows authenticated attackers to gain unauthorized access and modify system data. Public exploit code exists for this vulnerability, making it readily exploitable by remote actors. A patch is not currently available, leaving installations vulnerable until an update is released.

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in itsourcecode Society Management System 1.0 allows authenticated attackers to manipulate the Title parameter in /admin/add_activity.php, enabling remote data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

Unrestricted file upload in EyouCMS versions up to 1.7.1/5.0 allows authenticated remote attackers to upload arbitrary files through manipulation of the viewfile parameter in the Member Avatar Handler component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An authenticated attacker could leverage this to upload malicious files and potentially achieve remote code execution.

Improper authorization in Chamilo LMS up to 2.0.0 Beta 1 allows authenticated users to manipulate the userId parameter in the Legal Consent Handler's deleteLegal function, enabling unauthorized modification or deletion of legal consent records. Public exploit code exists for this vulnerability, and no patch is currently available. The vendor has not responded to disclosure attempts.

SQL injection in EasyCMS up to version 1.6 via the _order parameter in /UserAction.class.php allows unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQL injection in FeMiner Warehouse Management System's /src/chkuser.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. The flaw affects all versions up to commit 9cad1f1b179a98b9547fd003c23b07c7594775fa and enables attackers to potentially read, modify, or delete sensitive warehouse data.

The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/che...

The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.

Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 5.3).

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. [CVSS 5.3 MEDIUM]

User Registration Using Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 5.3).

Phrase TMS Integration for WordPress (WordPress plugin) is affected by missing authorization (CVSS 4.3).

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, p...

The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. [CVSS 6.5 MEDIUM]

The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.

The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. [CVSS 6.5 MEDIUM]

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing...

Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).

Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).