PHP
Monthly
Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).
Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability. The flaw is resolved in version 3.6.2 and later.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks while maintaining the appearance of a trusted WeGIA domain. The vulnerability is resolved in WeGIA 3.6.2 and later versions.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to properly validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, enabling attackers to conduct phishing campaigns and credential harvesting attacks while leveraging the trust associated with the legitimate WeGIA domain. Update to version 3.6.2 or later to remediate this issue.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external websites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks that abuse the trusted WeGIA domain. The vulnerability is resolved in version 3.6.2.
WeGIA prior to version 3.6.2 contains an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to craft malicious links redirecting users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability, which affects all users who click attacker-controlled links within the application. The vulnerability is resolved in version 3.6.2.
Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.
Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.
WeGIA web manager for charitable institutions has a reflected XSS vulnerability prior to version 3.6.2 that enables account takeover through crafted malicious links.
Omni Secure File versions up to 0.1.14 is affected by unrestricted upload of file with dangerous type.
Livewire Filemanager for Laravel contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload and execute arbitrary files on the server.
Restrict Content versions up to 3.2.16 is affected by authorization bypass through user-controlled key (CVSS 8.2).
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
LEAV Last Email Address Validator (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulner...
and Prevents Security Breache versions up to 21.0.9 is affected by authorization bypass through user-controlled key (CVSS 4.3).
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other u...
The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. [CVSS 4.3 MEDIUM]
All-in-One Video Gallery (WordPress plugin) versions up to 4.5.7. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. [CVSS 6.5 MEDIUM]
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full server compromise through admin account creation or code execution.
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation.
A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. [CVSS 8.8 HIGH]
Phpgurukul Cyber Cafe Management System v1.0 has SQL injection in the username parameter of add-users.php. PoC available.
Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).
Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).
Inadequate CSRF protection in Easy!Appointments 1.5.2 and earlier allows unauthenticated attackers to perform state-changing operations through GET requests, enabling account creation, credential modification, and complete admin account takeover. The vulnerability exists because csrf_verify() only validates POST requests while application endpoints accept parameters via GET or $_REQUEST. Public exploit code exists for this high-severity flaw and no patch is currently available.
Pimcore versions prior to 12.3.1 and 11.5.14 fail to properly validate authorization on the static routes API endpoint, allowing authenticated users without proper permissions to view sensitive route configurations including regex patterns and controller mappings. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects both PHP and Pimcore installations where backend users with limited privileges could gain unauthorized access to routing infrastructure details.
ProjeQtOr Project Management 9.1.4 allows guest users to upload PHP files through profile attachments. Unauthenticated RCE via web shell. PoC available.
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. [CVSS 7.1 HIGH]
Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. PoC available.
InvoicePlane through 1.6.3 allows authenticated users to upload PHP files as attachments that can be executed remotely. Low privileges sufficient with scope change. PoC available.
The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. [CVSS 6.4 MEDIUM]
Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. [CVSS 5.3 MEDIUM]
Drag and Drop Multiple File Upload for Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 3.7).
WP-Members Membership Plugin (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 5.4).
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. [CVSS 5.4 MEDIUM]
Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Perfit WooCommerce (WordPress plugin) versions up to 1.0.1. is affected by missing authorization (CVSS 5.3).
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]
News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.
Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accou...
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. [CVSS 6.1 MEDIUM]
Webgrind 1.1 has unauthenticated command injection via the dataFile parameter in index.php. The profiling tool executes OS commands directly from URL parameters. PoC available.
eXtplorer 2.1.14 has an authentication bypass that allows passwordless login. Combined with the file manager's upload capability, this achieves unauthenticated RCE. PoC available.
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. [CVSS 7.2 HIGH]
Wbce Cms versions up to 1.5.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. [CVSS 7.2 HIGH]
ImpressCMS 1.4.4 has weak file upload extension filtering that can be bypassed using alternative PHP extensions (.php2, .php6, .php7, .phps, .pht). PoC available.
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. [CVSS 7.2 HIGH]
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9.8 suggesting further exploitation potential beyond typical XSS. PoC available.
Nanocms versions up to 0.4 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. [CVSS 6.1 MEDIUM]
VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. [CVSS 6.5 MEDIUM]
VIAVIWEB Wallpaper Admin 1.0 allows unauthenticated PHP file upload through the add_gallery_image.php endpoint. PoC available.
4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. [CVSS 7.2 HIGH]
CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. [CVSS 7.5 HIGH]
YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. [CVSS 5.5 MEDIUM]
WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. [CVSS 6.1 MEDIUM]
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. [CVSS 4.3 MEDIUM]
phpgurukul News Portal V4.1 allows unauthenticated upload of any file type via upload.php. The third critical vulnerability in this application alongside file deletion and SQL injection. PoC available.
phpgurukul News Portal V4.1 has SQL injection in check_availablity.php. PoC available.
phpgurukul News Portal V4.1 allows unauthenticated arbitrary file deletion via remove_file.php. Attackers can delete any file on the server. PoC available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1.
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. [CVSS 5.3 MEDIUM]
Arbitrary PHP code execution in TYPO3 CMS versions 10.0.0 through 14.0.1 through unsafe deserialization of mail spool files, allowing local attackers with write access to the spool directory to execute malicious code when the mailer:spool:send command is executed. Affected versions span multiple release lines including 10.x, 11.x, 12.x, 13.x, and 14.x, requiring immediate patching to prevent web server compromise.
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]
E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.
Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.
Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).
Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability. The flaw is resolved in version 3.6.2 and later.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks while maintaining the appearance of a trusted WeGIA domain. The vulnerability is resolved in WeGIA 3.6.2 and later versions.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to properly validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, enabling attackers to conduct phishing campaigns and credential harvesting attacks while leveraging the trust associated with the legitimate WeGIA domain. Update to version 3.6.2 or later to remediate this issue.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external websites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks that abuse the trusted WeGIA domain. The vulnerability is resolved in version 3.6.2.
WeGIA prior to version 3.6.2 contains an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to craft malicious links redirecting users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability, which affects all users who click attacker-controlled links within the application. The vulnerability is resolved in version 3.6.2.
Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.
Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.
WeGIA web manager for charitable institutions has a reflected XSS vulnerability prior to version 3.6.2 that enables account takeover through crafted malicious links.
Omni Secure File versions up to 0.1.14 is affected by unrestricted upload of file with dangerous type.
Livewire Filemanager for Laravel contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload and execute arbitrary files on the server.
Restrict Content versions up to 3.2.16 is affected by authorization bypass through user-controlled key (CVSS 8.2).
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
LEAV Last Email Address Validator (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulner...
and Prevents Security Breache versions up to 21.0.9 is affected by authorization bypass through user-controlled key (CVSS 4.3).
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other u...
The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. [CVSS 4.3 MEDIUM]
All-in-One Video Gallery (WordPress plugin) versions up to 4.5.7. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. [CVSS 6.5 MEDIUM]
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full server compromise through admin account creation or code execution.
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation.
A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. [CVSS 8.8 HIGH]
Phpgurukul Cyber Cafe Management System v1.0 has SQL injection in the username parameter of add-users.php. PoC available.
Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).
Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).
Inadequate CSRF protection in Easy!Appointments 1.5.2 and earlier allows unauthenticated attackers to perform state-changing operations through GET requests, enabling account creation, credential modification, and complete admin account takeover. The vulnerability exists because csrf_verify() only validates POST requests while application endpoints accept parameters via GET or $_REQUEST. Public exploit code exists for this high-severity flaw and no patch is currently available.
Pimcore versions prior to 12.3.1 and 11.5.14 fail to properly validate authorization on the static routes API endpoint, allowing authenticated users without proper permissions to view sensitive route configurations including regex patterns and controller mappings. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects both PHP and Pimcore installations where backend users with limited privileges could gain unauthorized access to routing infrastructure details.
ProjeQtOr Project Management 9.1.4 allows guest users to upload PHP files through profile attachments. Unauthenticated RCE via web shell. PoC available.
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. [CVSS 7.1 HIGH]
Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. PoC available.
InvoicePlane through 1.6.3 allows authenticated users to upload PHP files as attachments that can be executed remotely. Low privileges sufficient with scope change. PoC available.
The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. [CVSS 6.4 MEDIUM]
Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. [CVSS 5.3 MEDIUM]
Drag and Drop Multiple File Upload for Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 3.7).
WP-Members Membership Plugin (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 5.4).
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. [CVSS 5.4 MEDIUM]
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. [CVSS 5.4 MEDIUM]
Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Perfit WooCommerce (WordPress plugin) versions up to 1.0.1. is affected by missing authorization (CVSS 5.3).
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]
News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.
Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accou...
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. [CVSS 6.1 MEDIUM]
Webgrind 1.1 has unauthenticated command injection via the dataFile parameter in index.php. The profiling tool executes OS commands directly from URL parameters. PoC available.
eXtplorer 2.1.14 has an authentication bypass that allows passwordless login. Combined with the file manager's upload capability, this achieves unauthenticated RCE. PoC available.
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. [CVSS 7.2 HIGH]
Wbce Cms versions up to 1.5.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. [CVSS 7.2 HIGH]
ImpressCMS 1.4.4 has weak file upload extension filtering that can be bypassed using alternative PHP extensions (.php2, .php6, .php7, .phps, .pht). PoC available.
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. [CVSS 7.2 HIGH]
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9.8 suggesting further exploitation potential beyond typical XSS. PoC available.
Nanocms versions up to 0.4 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. [CVSS 6.1 MEDIUM]
VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. [CVSS 6.5 MEDIUM]
VIAVIWEB Wallpaper Admin 1.0 allows unauthenticated PHP file upload through the add_gallery_image.php endpoint. PoC available.
4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. [CVSS 7.2 HIGH]
CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. [CVSS 7.5 HIGH]
YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. [CVSS 5.5 MEDIUM]
WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. [CVSS 6.1 MEDIUM]
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. [CVSS 4.3 MEDIUM]
phpgurukul News Portal V4.1 allows unauthenticated upload of any file type via upload.php. The third critical vulnerability in this application alongside file deletion and SQL injection. PoC available.
phpgurukul News Portal V4.1 has SQL injection in check_availablity.php. PoC available.
phpgurukul News Portal V4.1 allows unauthenticated arbitrary file deletion via remove_file.php. Attackers can delete any file on the server. PoC available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1.
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. [CVSS 5.3 MEDIUM]
Arbitrary PHP code execution in TYPO3 CMS versions 10.0.0 through 14.0.1 through unsafe deserialization of mail spool files, allowing local attackers with write access to the spool directory to execute malicious code when the mailer:spool:send command is executed. Affected versions span multiple release lines including 10.x, 11.x, 12.x, 13.x, and 14.x, requiring immediate patching to prevent web server compromise.
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]
E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.
Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.