PHP
Monthly
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]
E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.
Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.
Remote code execution in Emlog v2.6.1 and earlier allows authenticated attackers to upload arbitrary files through an insufficiently validated REST API endpoint (/index.php?rest-api=upload), enabling malicious PHP execution on the server. Attackers can exploit this by obtaining valid API credentials through administrator access or information disclosure flaws, then uploading executable scripts to achieve full system compromise. Public exploit code exists for this vulnerability, and affected administrators should apply available patches immediately.
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. [CVSS 5.4 MEDIUM]
GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.
Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.
A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [CVSS 5.4 MEDIUM]
Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.
Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled.
Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.
Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.
Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’.
Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).
SQL injection in Online Music Site 1.0's AdminUpdateUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion with confidentiality, integrity, and availability impact.
SQL injection in code-projects Online Music Site 1.0 via the txtusername parameter in AdminAddUser.php enables unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.
Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 4.7).
SQL injection in jjjfood and jjjshop_food PHP applications through the latitude parameter in /index.php/api/product.category/index allows authenticated attackers to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite notification. Affected installations up to version 20260103 should implement immediate mitigation measures.
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]
Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in HAX CMS versions 11.0.6 through 24.x allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to account takeover. Public exploit code exists for this vulnerability affecting both PHP and Node.js deployments. Users should upgrade to version 25.0.0 or later to remediate the issue.
miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]
WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).
SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]
GestSup before version 3.2.60 contains a pre-authentication stored XSS vulnerability in API error logging that allows unauthenticated attackers to inject malicious scripts into log files via crafted API requests. When administrators view these logs in the web interface, the injected scripts execute in their browser with administrative privileges due to insufficient output encoding. This impacts both GestSup and PHP-based installations, enabling attackers to compromise administrator accounts without prior authentication.
A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. [CVSS 4.7 MEDIUM]
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.
PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.
WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.
The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...
eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).
eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. [CVSS 6.5 MEDIUM]
The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. [CVSS 5.3 MEDIUM]
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. [CVSS 5.3 MEDIUM]
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by...
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. [CVSS 5.3 MEDIUM]
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. [CVSS 6.8 MEDIUM]
The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. [CVSS 5.3 MEDIUM]
SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in the Intern Membership Management System 1.0 add_activity.php file allows authenticated administrators to manipulate the Title parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables an authenticated attacker with high privileges to compromise data confidentiality and integrity.
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
SQL injection in the Intern Membership Management System 1.0 admin deletion function allows authenticated attackers with high privileges to manipulate the admin_id parameter and execute arbitrary database queries remotely. Public exploit code is available for this vulnerability, which affects PHP-based deployments. The vulnerability enables unauthorized data access, modification, and potential denial of service with no patch currently available.
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. [CVSS 7.5 HIGH]
PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.
online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.
Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). [CVSS 8.7 HIGH]
Snuffleupagus PHP security module before 0.13.0 can be bypassed when upload validation uses VLD-based scripts without the VLD extension installed. This disables the upload security check entirely, allowing malicious PHP file uploads. PoC available, patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. [CVSS 7.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]
Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.
LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery is affected by cross-site scripting (xss) (CVSS 6.1).
Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. [CVSS 8.1 HIGH]
WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.
Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.
Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]
E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.
Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.
Remote code execution in Emlog v2.6.1 and earlier allows authenticated attackers to upload arbitrary files through an insufficiently validated REST API endpoint (/index.php?rest-api=upload), enabling malicious PHP execution on the server. Attackers can exploit this by obtaining valid API credentials through administrator access or information disclosure flaws, then uploading executable scripts to achieve full system compromise. Public exploit code exists for this vulnerability, and affected administrators should apply available patches immediately.
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. [CVSS 5.4 MEDIUM]
GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.
Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.
A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [CVSS 5.4 MEDIUM]
Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.
Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled.
Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.
Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.
Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’.
Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).
SQL injection in Online Music Site 1.0's AdminUpdateUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion with confidentiality, integrity, and availability impact.
SQL injection in code-projects Online Music Site 1.0 via the txtusername parameter in AdminAddUser.php enables unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.
Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 4.7).
SQL injection in jjjfood and jjjshop_food PHP applications through the latitude parameter in /index.php/api/product.category/index allows authenticated attackers to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite notification. Affected installations up to version 20260103 should implement immediate mitigation measures.
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]
Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in HAX CMS versions 11.0.6 through 24.x allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to account takeover. Public exploit code exists for this vulnerability affecting both PHP and Node.js deployments. Users should upgrade to version 25.0.0 or later to remediate the issue.
miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]
WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).
SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]
GestSup before version 3.2.60 contains a pre-authentication stored XSS vulnerability in API error logging that allows unauthenticated attackers to inject malicious scripts into log files via crafted API requests. When administrators view these logs in the web interface, the injected scripts execute in their browser with administrative privileges due to insufficient output encoding. This impacts both GestSup and PHP-based installations, enabling attackers to compromise administrator accounts without prior authentication.
A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. [CVSS 4.7 MEDIUM]
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.
PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.
WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.
The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...
eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).
eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. [CVSS 6.5 MEDIUM]
The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. [CVSS 5.3 MEDIUM]
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. [CVSS 5.3 MEDIUM]
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by...
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. [CVSS 5.3 MEDIUM]
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. [CVSS 6.8 MEDIUM]
The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. [CVSS 5.3 MEDIUM]
SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in the Intern Membership Management System 1.0 add_activity.php file allows authenticated administrators to manipulate the Title parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables an authenticated attacker with high privileges to compromise data confidentiality and integrity.
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
SQL injection in the Intern Membership Management System 1.0 admin deletion function allows authenticated attackers with high privileges to manipulate the admin_id parameter and execute arbitrary database queries remotely. Public exploit code is available for this vulnerability, which affects PHP-based deployments. The vulnerability enables unauthorized data access, modification, and potential denial of service with no patch currently available.
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. [CVSS 7.5 HIGH]
PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.
online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.
Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). [CVSS 8.7 HIGH]
Snuffleupagus PHP security module before 0.13.0 can be bypassed when upload validation uses VLD-based scripts without the VLD extension installed. This disables the upload security check entirely, allowing malicious PHP file uploads. PoC available, patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. [CVSS 7.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]
Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.
LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery is affected by cross-site scripting (xss) (CVSS 6.1).
Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. [CVSS 8.1 HIGH]
WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.
Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.
Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.