PHP
Monthly
OWASP Core Rule Set (CRS) versions prior to 3.3.9 and 4.25.0 allow bypass of file upload restrictions through whitespace-padded filenames, enabling upload of dangerous executable file extensions (.php, .phar, .jsp, .jspx) that should be blocked. Remote attackers can exploit this vulnerability to upload malicious files with high confidence due to the simple nature of the bypass technique (inserting spaces before the file extension), potentially leading to remote code execution depending on web application firewall configuration and application behavior.
SQL injection in itsourcecode Online Enrollment System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the deptid parameter in /enrollment/index.php?view=edit&id=3, potentially enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS score of 6.9. The vulnerability affects the Parameter Handler component's SQL query construction logic.
Remote command injection in DefaultFuction Content-Management-System 1.0 allows unauthenticated attackers to execute arbitrary OS commands via the host parameter in /admin/tools.php. The flaw has a publicly available exploit (POC published on GitHub) and is exploitable over the network with low attack complexity. EPSS data not available, not listed in CISA KEV. CVSS 7.3 reflects network-accessible, unauthenticated command injection with potential for confidentiality, integrity, and availability compromise.
Stored cross-site scripting (XSS) in Xiaopi Panel 1.0.0 via the param argument in /demo.php allows authenticated remote attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects the WAF Firewall component, has publicly available exploit code, and carries a low CVSS score (3.5) due to requirement for user interaction and limited impact scope, though the vendor has not responded to disclosure.
Path traversal in OpenCart 4.1.0.3 Extension Installer Page allows high-privileged remote attackers to manipulate the installer.php file and traverse the filesystem, potentially accessing or modifying sensitive files outside the intended directory. The vulnerability has publicly available exploit code and affects the extension installation mechanism; vendor has not responded to early disclosure attempts, leaving installations unpatched.
Improper access controls in SourceCodester Best Courier Management System 1.0 allow unauthenticated remote attackers to delete users by manipulating the ID parameter in the /ajax.php?action=delete_user endpoint, bypassing authentication requirements. The vulnerability has publicly available exploit code and impacts all versions of the affected software with a CVSS 6.9 score reflecting moderate integrity impact through an easily exploitable network vector.
Remote authentication bypass in SourceCodester Leave Application System 1.0 allows unauthenticated attackers to access user information via insecure direct object reference (IDOR) in the /index.php?page=manage_user endpoint by manipulating the ID parameter. The vulnerability has a publicly available exploit and CVSS 5.3 (low-moderate confidentiality impact), though actual risk depends on the sensitivity of exposed user data and system context.
Stored cross-site scripting (XSS) in SourceCodester Simple Customer Relationship Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the /create-ticket.php Create Ticket component. The vulnerability requires user interaction (UI:R) to trigger payload execution and has limited impact (integrity only, no confidentiality or availability loss), but publicly available exploit code exists and the issue has been publicly disclosed.
Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.
Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.
Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System up to version 1.0 allows remote attackers to inject malicious scripts via the 'page' parameter in /navbar.php. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 4.3 due to limited confidentiality impact. Publicly available exploit code exists, increasing real-world risk despite the moderate base score.
User enumeration in osTicket v1.18.2's password reset endpoint (/pwreset.php) enables remote attackers to discover valid usernames through response analysis, facilitating targeted account compromise attempts. No CVSS score, CISA KEV status, or confirmed patch information is available; exploitation likelihood depends on whether timing or behavioral differences between valid and invalid usernames can be reliably detected without authentication.
Reflected XSS in Interzen Consulting ZenShare Suite v17.0 login_newpwd.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious code into the codice_azienda parameter via a crafted URL. No public exploit code or active exploitation has been confirmed at the time of this analysis, though the vulnerability is straightforward to demonstrate and likely poses a practical risk to organizations using this product.
Reflected cross-site scripting (XSS) vulnerabilities in Interzen Consulting ZenShare Suite v17.0 login.php endpoint allow remote unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious payloads into the codice_azienda and red_url parameters. Attack requires user interaction (clicking a crafted link) and affects the authentication process; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.
Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.
Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile
Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the F
Path traversal and CSRF vulnerability in phpMyFAQ's MediaBrowserController enables remote deletion of critical server files. Authenticated admin accounts can be exploited via CSRF to delete arbitrary files including database configurations, .htaccess files, and application code. GitHub advisory confirms the vulnerability with POC demonstration. Attack requires low-privilege authentication (PR:L) but succeeds with minimal user interaction (UI:R), achieving high integrity and availability impact w
Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in
Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the userid parameter in /delstaffinfo.php, enabling arbitrary SQL query execution with limited data confidentiality and integrity impact. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.9.
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the firstName parameter in /modify.php, enabling arbitrary database queries and potential data exfiltration or modification. The vulnerability affects the Parameter Handler component through CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Publicly available exploit code exists, and the CVSS 6.9 score reflects moderate impact with low attack complexity and no authentication requirement.
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.
Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /view_employee.php. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, enabling potential data extraction, modification, or authentication bypass without requiring user interaction.
SQL injection in Booking for Appointments and Events Calendar - Amelia WordPress plugin (versions up to 2.1.2) allows authenticated Manager-level users to extract sensitive database information via the `sort` parameter in the payments listing endpoint. The vulnerability exists because the sort field is interpolated directly into an ORDER BY clause without sanitization, bypassing PDO prepared statement protections which do not cover column names. GET requests also bypass Amelia's nonce validation, enabling time-based blind SQL injection attacks by authenticated users with Manager access or higher.
Pharmacy Product Management System 1.0 accepts negative price and total cost values in sales transactions due to insufficient input validation in add-sales.php, enabling attackers to manipulate financial records, corrupt sales reports, and cause financial loss. The vulnerability allows unauthenticated or low-privilege users to submit arbitrary negative values that bypass business logic controls. Publicly available exploit code exists demonstrating this business logic flaw.
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /manage_user.php, enabling arbitrary SQL query execution with confidentiality and integrity impact. The vulnerability has a publicly available exploit, making it immediately actionable for threat actors despite the moderate CVSS score.
Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.
FreeScout prior to version 1.8.211 fails to validate Server-Side Request Forgery (SSRF) protections due to a flawed IP range check in checkIpByMask() that only accepts CIDR notation and rejects plain IP addresses, leaving the entire 10.0.0.0/8 and 172.16.0.0/12 private IP ranges unprotected from SSRF attacks. Remote attackers can exploit this logic error to access internal services and resources on private networks that the application can reach, potentially escalating to information disclosure or further lateral movement. The vulnerability is confirmed patched in version 1.8.211.
Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. No public exploit code or vendor patch has been released at time of analysis.
Authenticated users in WWBN AVideo 26.0 and prior can cancel arbitrary Stripe subscriptions through an exposed test.php debug endpoint in the StripeYPT plugin, exploiting a logic error in the retrieveSubscriptions() method that performs cancellation instead of retrieval. The vulnerability requires valid login credentials but allows any authenticated user-not just administrators-to trigger subscription cancellations, causing integrity violations to payment operations. No public exploit code or active exploitation has been reported at time of analysis, and vendor patches are not yet available.
Unauthenticated remote attackers can bypass CLI-only access controls in WWBN AVideo versions 26.0 and prior via a PHP operator precedence bug in install/deleteSystemdPrivate.php, allowing HTTP access to delete server temp directory files and disclose their contents without authentication. The vulnerability stems from a logic error where !php_sapi_name() === 'cli' evaluates incorrectly due to operator binding precedence, causing the access guard to fail entirely. No public exploit code or active exploitation has been reported at the time of this analysis.
WWBN AVideo 26.0 and prior exposes sensitive user data through 21 unauthenticated API endpoints via the CreatePlugin template generator. The list.json.php template lacks authentication checks present in its companion add.json.php and delete.json.php templates, allowing remote attackers to enumerate and retrieve user PII, payment logs, IP addresses, user agents, and internal system records without authentication. No vendor patch exists at time of analysis.
Unauthenticated attackers can remotely terminate any active live stream in WWBN AVideo 26.0 and prior by sending crafted POST requests to the on_publish_done.php endpoint in the Live plugin. The vulnerability combines two weaknesses: an unauthenticated stats.json.php endpoint that exposes active stream keys, and the on_publish_done.php RTMP callback handler that processes stream termination requests without authentication or authorization checks. This enables complete denial-of-service against all platform live streaming functionality. CVSS 7.5 (High) with network attack vector, low complexity, and no privileges required. No vendor-released patch identified at time of analysis; EPSS data not available.
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to disable critical security plugins on admin accounts via malicious web pages, exploiting missing CSRF token validation combined with SameSite=None session cookies and ORM-level security bypass. An attacker can trick an authenticated administrator into visiting a crafted webpage that silently disables plugins such as LoginControl (2FA), subscription enforcement, or access control mechanisms, compromising the platform's security posture without the admin's knowledge or consent.
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to send arbitrary HTML emails to all platform users by luring administrators to a malicious webpage. The vulnerability exploits absent CSRF token validation on the emailAllUsers.json.php endpoint combined with SameSite=None session cookie configuration, enabling cross-origin POST requests to execute with the admin's session credentials. An attacker can impersonate the platform's legitimate SMTP sender to distribute phishing emails, spam, or malware links to the entire user base without any authentication requirement beyond initial admin compromise via social engineering.
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows unauthenticated attackers to inject malicious JavaScript into plugin configuration values via CSRF, or authenticated admins to directly inject code that executes in administrator browsers when accessing plugin configuration pages. The vulnerability exploits missing output encoding in the jsonToFormElements() function, enabling arbitrary JavaScript execution within the admin panel with impact to confidentiality and integrity.
Cross-site request forgery in WWBN AVideo 26.0 and earlier enables remote attackers to reconfigure critical plugin settings through forged requests targeting admin/save.json.php. The endpoint lacks CSRF token validation while the application sets SameSite=None cookies, allowing attackers to manipulate payment processors, authentication providers, and cloud storage credentials by tricking authenticated administrators into visiting malicious pages. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV; no public exploit identified at time of analysis, though exploitation requires only standard CSRF techniques.
Information disclosure in WWBN AVideo versions 26.0 and prior allows authenticated users to enumerate and dump the complete user database including personal information and wallet balances via the /plugin/YPTWallet/view/users.json.php endpoint. The vulnerability stems from inadequate authorization checks that verify user login status but fail to enforce administrator-only access, enabling any registered account holder to retrieve sensitive data belonging to all platform users. No public exploit code or active exploitation has been confirmed at time of analysis, and vendor patches are not yet available.
Admidio prior to version 5.0.8 allows attackers with pending registration status to bypass CSRF protections and trick administrators with approval rights into automatically approving registrations via malicious URLs, enabling unauthorized account activation without manual review. The vulnerability affects the create_user, assign_member, and assign_user action modes in modules/registration.php, which process GET requests without token validation unlike the delete_user mode in the same file. An attacker extracts their user UUID from a registration confirmation email, crafts a URL targeting administrators, and gains illicit account approval through social engineering rather than technical compromise.
Admidio 5.0.0 through 5.0.7 allows authenticated users to permanently delete list configurations via CSRF attacks in the mylist_function.php delete handler, lacking CSRF token validation. An attacker can craft a malicious page to silently destroy a victim's shared list configurations, including organization-wide lists if the victim holds administrator rights. No public exploit code has been identified at time of analysis. Vendor-released patch: version 5.0.8.
Path traversal in CMS Made Simple UserGuide Module XML Import functionality allows authenticated high-privilege attackers to manipulate file operations in the _copyFilesToFolder function, enabling arbitrary file placement on the server with limited confidentiality and integrity impact. The vulnerability affects CMS Made Simple up to version 2.2.22, requires high-level privileges to exploit remotely, and vendor has confirmed a fix for a future release; publicly available exploit code exists but real-world risk remains moderate due to privilege requirements.
SQL injection in code-projects Student Membership System 1.0 admin login allows unauthenticated remote attackers to bypass authentication and access sensitive data via crafted username/password parameters at /admin/index.php. Publicly available exploit code exists (VulDB 354296, GitHub POC), enabling trivial exploitation with no attack complexity. CVSS 7.3 reflects network-accessible attack with low confidentiality/integrity/availability impact. No vendor-released patch identified at time of analysis.
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /delete_user.php, enabling unauthorized data exfiltration or manipulation. The vulnerability has CVSS score 5.3 (medium severity) with publicly available exploit code, though it requires authenticated access (PR:L) and carries low confidentiality, integrity, and availability impact per CVSS v4.0 assessment.
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /delete_member.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability has been disclosed; however, active exploitation has not been confirmed by CISA. The attack requires valid authentication credentials but can be initiated over the network with minimal complexity.
Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.
Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.
Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.
Unrestricted file upload in SourceCodester Simple Doctors Appointment System up to version 1.0 allows authenticated remote attackers to upload arbitrary files via the img parameter in /doctors_appointment/admin/ajax.php?action=save_category, potentially leading to remote code execution. The vulnerability has publicly available exploit code and carries a CVSS score of 5.3 with limited impact scope, though it requires valid login credentials to exploit.
Unauthenticated attackers can directly access view PHP files in the Truebooker WordPress plugin (versions up to 1.1.4) to disclose sensitive information, such as user data or system configuration details exposed in those templates. The vulnerability requires only network access and no authentication, making it trivially exploitable via simple HTTP requests to exposed PHP files. No public exploit code or active exploitation has been confirmed at this time.
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability via the /admin/ajax.php login endpoint. Attackers manipulate the 'email' parameter to execute arbitrary SQL commands. Publicly available exploit code exists (GitHub POC published), significantly lowering the attack barrier. The CVSS score of 7.3 reflects network-based exploitation requiring low complexity and no privileges, with partial impact across all CIA triad elements. No CISA KEV listing at time of analysis, but the combination of public exploit and authentication bypass capability makes this a realistic threat to internet-facing instances.
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the Username parameter in /admin/login.php. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects low attack complexity and network accessibility. EPSS data unavailable, but public POC significantly elevates real-world risk for internet-facing installations.
Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.
Sensitive system configuration data exposure in Gravity SMTP for WordPress (all versions ≤2.1.4) allows unauthenticated remote attackers to retrieve comprehensive server information via an unsecured REST API endpoint. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint lacks authentication controls, exposing ~365 KB of JSON containing PHP version, database credentials structure, WordPress configuration, plugin/theme inventories, and configured API keys/tokens. EPSS data not provided; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack vector is trivial (CVSS AV:N/AC:L/PR:N).
Authenticated path traversal in baserCMS theme file management API (versions prior to 5.2.3) enables arbitrary file write, allowing administrators to create malicious PHP files outside the theme directory and achieve remote code execution. The vulnerability (CWE-22) requires high privileges (PR:H) but has low attack complexity (AC:L) with network access (AV:N). CVSS score of 7.2 reflects the significant impact when administrator credentials are compromised. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization.
Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).
Blind SQL injection in SourceCodester Loan Management System v1.0 allows authenticated attackers to inject malicious SQL commands via the borrower_id parameter in the ajax.php save_loan action. The vulnerability requires valid authentication to exploit and publicly available proof-of-concept code exists, making this a moderate-risk issue for organizations using this open-source application despite the lack of CVSS scoring.
Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.
Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.
Remote SQL injection in code-projects Accounting System 1.0 allows unauthenticated attackers to execute arbitrary SQL queries via the cos_id parameter in the /viewin_costumer.php file. The vulnerability has a CVSS score of 6.9 with a public exploit available, enabling attackers to read sensitive data from the database with minimal attack complexity. This is a network-accessible PHP application flaw affecting confidentiality with confirmed public disclosure.
Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'msg' parameter in index.php. Publicly available proof-of-concept code exists, enabling attackers to craft malicious URLs that execute scripts in victim browsers when clicked. No CVSS vector or patch information is available; the vulnerability appears limited in scope to a single PHP parameter.
HeidiSQL 9.5.0.5196 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long file path in the logging preferences. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_fst.php, affecting user sessions with administrator privileges. The vulnerability requires user interaction (UI:R) and carries a low CVSS score of 2.4 due to the requirement for prior administrative authentication (PR:H), but publicly available exploit code exists and may be actively used. The attack vector is network-based (AV:N) with low complexity (AC:L), creating an insider threat scenario where compromised or malicious administrators can deface content or steal session tokens of other administrators.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.
Invoice Ninja versions 5.12.46 and 5.12.48 contain a Server-Side Request Forgery (SSRF) vulnerability in the CheckDatabaseRequest.php component that allows remote attackers to perform unauthorized requests to internal or external systems. The vulnerability affects the setup and database configuration functionality, potentially enabling attackers to access internal services, probe private networks, or interact with restricted resources from the server's perspective.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_purchase.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. The vulnerability has publicly available exploit code but lacks CVSS scoring and is not confirmed as actively exploited.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_supplier.php, enabling session hijacking, credential theft, or malware distribution without authentication. The vulnerability has publicly available proof-of-concept code demonstrating the attack vector.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_sales.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists.
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_customer.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists demonstrating the vulnerability.
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_category.php, enabling session hijacking, credential theft, or malware distribution via malicious URLs. Publicly available exploit code exists, increasing real-world attack likelihood despite the absence of formal CVSS scoring or CVE severity data.
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML via the unvalidated "limit" parameter in view_customers.php, affecting unauthenticated users who click malicious links. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS score is available to quantify severity.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'limit' parameter in view_supplier.php due to insufficient input sanitization. The vulnerability is accessible without authentication via crafted URLs, and publicly available exploit code exists demonstrating the attack vector.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web scripts or HTML through the 'limit' parameter in view_payments.php due to insufficient input sanitization. Publicly available exploit code exists, enabling attackers to craft malicious URLs that execute JavaScript in victims' browsers when visited, potentially leading to session hijacking, credential theft, or defacement.
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to inject malicious scripts via the unvalidated website parameter in update_details.php, which are persisted in the database and executed whenever the store details page is accessed by any user. Publicly available exploit code exists, though the vulnerability requires prior authentication and affects primarily self-hosted instances of this open-source inventory management application.
Command injection in code-projects Chamber of Commerce Membership Management System 1.0 allows authenticated remote attackers with high privileges to execute arbitrary commands via manipulation of the mailSubject and mailMessage parameters in the admin/pageMail.php file. The vulnerability has a publicly available exploit and a moderate CVSS score of 4.7, but real-world risk is constrained by the requirement for high-privilege authenticated access.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the en_id parameter in /view_work.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available, increasing practical exploitation risk despite the moderate CVSS score of 6.9.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /edit_costumer.php. The vulnerability has a CVSS 4.0 score of 6.9 with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS severity.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the cos_id parameter in /view_costumer.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects high exploitability (AV:N/AC:L/PR:N) with partial impact across confidentiality, integrity, and availability. No vendor-released patch identified at time of analysis.
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in all-orders.php. The vulnerability has a publicly available exploit and requires no authentication or user interaction (CVSS 7.3, AV:N/AC:L/PR:N). No vendor-released patch identified at time of analysis, representing elevated risk for installations of this PHP-based food ordering application.
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'Name' parameter in register-router.php. The vulnerability permits unauthorized database access with confirmed publicly available exploit code (EPSS and CVSS both indicate medium-severity risk). Attack complexity is low with no user interaction required, enabling automated exploitation. No vendor-released patch identified at time of analysis, and exploitation requires no authentication (CVSS PR:N).
SQL injection in Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in /all-tickets.php. The vulnerability is trivially exploitable with low attack complexity and requires no user interaction. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Ninja Forms plugin for WordPress versions up to 3.14.1 exposes authorization tokens via an insecure callback function in blocks/bootstrap.php, allowing authenticated Contributor-level users and above to access form submission data from arbitrary forms without proper authorization. The vulnerability enables sensitive information disclosure affecting all WordPress installations using the affected plugin versions, with no active exploitation confirmed at time of analysis.
OWASP Core Rule Set (CRS) versions prior to 3.3.9 and 4.25.0 allow bypass of file upload restrictions through whitespace-padded filenames, enabling upload of dangerous executable file extensions (.php, .phar, .jsp, .jspx) that should be blocked. Remote attackers can exploit this vulnerability to upload malicious files with high confidence due to the simple nature of the bypass technique (inserting spaces before the file extension), potentially leading to remote code execution depending on web application firewall configuration and application behavior.
SQL injection in itsourcecode Online Enrollment System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the deptid parameter in /enrollment/index.php?view=edit&id=3, potentially enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS score of 6.9. The vulnerability affects the Parameter Handler component's SQL query construction logic.
Remote command injection in DefaultFuction Content-Management-System 1.0 allows unauthenticated attackers to execute arbitrary OS commands via the host parameter in /admin/tools.php. The flaw has a publicly available exploit (POC published on GitHub) and is exploitable over the network with low attack complexity. EPSS data not available, not listed in CISA KEV. CVSS 7.3 reflects network-accessible, unauthenticated command injection with potential for confidentiality, integrity, and availability compromise.
Stored cross-site scripting (XSS) in Xiaopi Panel 1.0.0 via the param argument in /demo.php allows authenticated remote attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects the WAF Firewall component, has publicly available exploit code, and carries a low CVSS score (3.5) due to requirement for user interaction and limited impact scope, though the vendor has not responded to disclosure.
Path traversal in OpenCart 4.1.0.3 Extension Installer Page allows high-privileged remote attackers to manipulate the installer.php file and traverse the filesystem, potentially accessing or modifying sensitive files outside the intended directory. The vulnerability has publicly available exploit code and affects the extension installation mechanism; vendor has not responded to early disclosure attempts, leaving installations unpatched.
Improper access controls in SourceCodester Best Courier Management System 1.0 allow unauthenticated remote attackers to delete users by manipulating the ID parameter in the /ajax.php?action=delete_user endpoint, bypassing authentication requirements. The vulnerability has publicly available exploit code and impacts all versions of the affected software with a CVSS 6.9 score reflecting moderate integrity impact through an easily exploitable network vector.
Remote authentication bypass in SourceCodester Leave Application System 1.0 allows unauthenticated attackers to access user information via insecure direct object reference (IDOR) in the /index.php?page=manage_user endpoint by manipulating the ID parameter. The vulnerability has a publicly available exploit and CVSS 5.3 (low-moderate confidentiality impact), though actual risk depends on the sensitivity of exposed user data and system context.
Stored cross-site scripting (XSS) in SourceCodester Simple Customer Relationship Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the /create-ticket.php Create Ticket component. The vulnerability requires user interaction (UI:R) to trigger payload execution and has limited impact (integrity only, no confidentiality or availability loss), but publicly available exploit code exists and the issue has been publicly disclosed.
Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.
Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.
Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System up to version 1.0 allows remote attackers to inject malicious scripts via the 'page' parameter in /navbar.php. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 4.3 due to limited confidentiality impact. Publicly available exploit code exists, increasing real-world risk despite the moderate base score.
User enumeration in osTicket v1.18.2's password reset endpoint (/pwreset.php) enables remote attackers to discover valid usernames through response analysis, facilitating targeted account compromise attempts. No CVSS score, CISA KEV status, or confirmed patch information is available; exploitation likelihood depends on whether timing or behavioral differences between valid and invalid usernames can be reliably detected without authentication.
Reflected XSS in Interzen Consulting ZenShare Suite v17.0 login_newpwd.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious code into the codice_azienda parameter via a crafted URL. No public exploit code or active exploitation has been confirmed at the time of this analysis, though the vulnerability is straightforward to demonstrate and likely poses a practical risk to organizations using this product.
Reflected cross-site scripting (XSS) vulnerabilities in Interzen Consulting ZenShare Suite v17.0 login.php endpoint allow remote unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious payloads into the codice_azienda and red_url parameters. Attack requires user interaction (clicking a crafted link) and affects the authentication process; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.
Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.
Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile
Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the F
Path traversal and CSRF vulnerability in phpMyFAQ's MediaBrowserController enables remote deletion of critical server files. Authenticated admin accounts can be exploited via CSRF to delete arbitrary files including database configurations, .htaccess files, and application code. GitHub advisory confirms the vulnerability with POC demonstration. Attack requires low-privilege authentication (PR:L) but succeeds with minimal user interaction (UI:R), achieving high integrity and availability impact w
Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in
Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the userid parameter in /delstaffinfo.php, enabling arbitrary SQL query execution with limited data confidentiality and integrity impact. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.9.
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the firstName parameter in /modify.php, enabling arbitrary database queries and potential data exfiltration or modification. The vulnerability affects the Parameter Handler component through CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Publicly available exploit code exists, and the CVSS 6.9 score reflects moderate impact with low attack complexity and no authentication requirement.
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.
Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /view_employee.php. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, enabling potential data extraction, modification, or authentication bypass without requiring user interaction.
SQL injection in Booking for Appointments and Events Calendar - Amelia WordPress plugin (versions up to 2.1.2) allows authenticated Manager-level users to extract sensitive database information via the `sort` parameter in the payments listing endpoint. The vulnerability exists because the sort field is interpolated directly into an ORDER BY clause without sanitization, bypassing PDO prepared statement protections which do not cover column names. GET requests also bypass Amelia's nonce validation, enabling time-based blind SQL injection attacks by authenticated users with Manager access or higher.
Pharmacy Product Management System 1.0 accepts negative price and total cost values in sales transactions due to insufficient input validation in add-sales.php, enabling attackers to manipulate financial records, corrupt sales reports, and cause financial loss. The vulnerability allows unauthenticated or low-privilege users to submit arbitrary negative values that bypass business logic controls. Publicly available exploit code exists demonstrating this business logic flaw.
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /manage_user.php, enabling arbitrary SQL query execution with confidentiality and integrity impact. The vulnerability has a publicly available exploit, making it immediately actionable for threat actors despite the moderate CVSS score.
Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.
FreeScout prior to version 1.8.211 fails to validate Server-Side Request Forgery (SSRF) protections due to a flawed IP range check in checkIpByMask() that only accepts CIDR notation and rejects plain IP addresses, leaving the entire 10.0.0.0/8 and 172.16.0.0/12 private IP ranges unprotected from SSRF attacks. Remote attackers can exploit this logic error to access internal services and resources on private networks that the application can reach, potentially escalating to information disclosure or further lateral movement. The vulnerability is confirmed patched in version 1.8.211.
Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. No public exploit code or vendor patch has been released at time of analysis.
Authenticated users in WWBN AVideo 26.0 and prior can cancel arbitrary Stripe subscriptions through an exposed test.php debug endpoint in the StripeYPT plugin, exploiting a logic error in the retrieveSubscriptions() method that performs cancellation instead of retrieval. The vulnerability requires valid login credentials but allows any authenticated user-not just administrators-to trigger subscription cancellations, causing integrity violations to payment operations. No public exploit code or active exploitation has been reported at time of analysis, and vendor patches are not yet available.
Unauthenticated remote attackers can bypass CLI-only access controls in WWBN AVideo versions 26.0 and prior via a PHP operator precedence bug in install/deleteSystemdPrivate.php, allowing HTTP access to delete server temp directory files and disclose their contents without authentication. The vulnerability stems from a logic error where !php_sapi_name() === 'cli' evaluates incorrectly due to operator binding precedence, causing the access guard to fail entirely. No public exploit code or active exploitation has been reported at the time of this analysis.
WWBN AVideo 26.0 and prior exposes sensitive user data through 21 unauthenticated API endpoints via the CreatePlugin template generator. The list.json.php template lacks authentication checks present in its companion add.json.php and delete.json.php templates, allowing remote attackers to enumerate and retrieve user PII, payment logs, IP addresses, user agents, and internal system records without authentication. No vendor patch exists at time of analysis.
Unauthenticated attackers can remotely terminate any active live stream in WWBN AVideo 26.0 and prior by sending crafted POST requests to the on_publish_done.php endpoint in the Live plugin. The vulnerability combines two weaknesses: an unauthenticated stats.json.php endpoint that exposes active stream keys, and the on_publish_done.php RTMP callback handler that processes stream termination requests without authentication or authorization checks. This enables complete denial-of-service against all platform live streaming functionality. CVSS 7.5 (High) with network attack vector, low complexity, and no privileges required. No vendor-released patch identified at time of analysis; EPSS data not available.
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to disable critical security plugins on admin accounts via malicious web pages, exploiting missing CSRF token validation combined with SameSite=None session cookies and ORM-level security bypass. An attacker can trick an authenticated administrator into visiting a crafted webpage that silently disables plugins such as LoginControl (2FA), subscription enforcement, or access control mechanisms, compromising the platform's security posture without the admin's knowledge or consent.
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to send arbitrary HTML emails to all platform users by luring administrators to a malicious webpage. The vulnerability exploits absent CSRF token validation on the emailAllUsers.json.php endpoint combined with SameSite=None session cookie configuration, enabling cross-origin POST requests to execute with the admin's session credentials. An attacker can impersonate the platform's legitimate SMTP sender to distribute phishing emails, spam, or malware links to the entire user base without any authentication requirement beyond initial admin compromise via social engineering.
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows unauthenticated attackers to inject malicious JavaScript into plugin configuration values via CSRF, or authenticated admins to directly inject code that executes in administrator browsers when accessing plugin configuration pages. The vulnerability exploits missing output encoding in the jsonToFormElements() function, enabling arbitrary JavaScript execution within the admin panel with impact to confidentiality and integrity.
Cross-site request forgery in WWBN AVideo 26.0 and earlier enables remote attackers to reconfigure critical plugin settings through forged requests targeting admin/save.json.php. The endpoint lacks CSRF token validation while the application sets SameSite=None cookies, allowing attackers to manipulate payment processors, authentication providers, and cloud storage credentials by tricking authenticated administrators into visiting malicious pages. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV; no public exploit identified at time of analysis, though exploitation requires only standard CSRF techniques.
Information disclosure in WWBN AVideo versions 26.0 and prior allows authenticated users to enumerate and dump the complete user database including personal information and wallet balances via the /plugin/YPTWallet/view/users.json.php endpoint. The vulnerability stems from inadequate authorization checks that verify user login status but fail to enforce administrator-only access, enabling any registered account holder to retrieve sensitive data belonging to all platform users. No public exploit code or active exploitation has been confirmed at time of analysis, and vendor patches are not yet available.
Admidio prior to version 5.0.8 allows attackers with pending registration status to bypass CSRF protections and trick administrators with approval rights into automatically approving registrations via malicious URLs, enabling unauthorized account activation without manual review. The vulnerability affects the create_user, assign_member, and assign_user action modes in modules/registration.php, which process GET requests without token validation unlike the delete_user mode in the same file. An attacker extracts their user UUID from a registration confirmation email, crafts a URL targeting administrators, and gains illicit account approval through social engineering rather than technical compromise.
Admidio 5.0.0 through 5.0.7 allows authenticated users to permanently delete list configurations via CSRF attacks in the mylist_function.php delete handler, lacking CSRF token validation. An attacker can craft a malicious page to silently destroy a victim's shared list configurations, including organization-wide lists if the victim holds administrator rights. No public exploit code has been identified at time of analysis. Vendor-released patch: version 5.0.8.
Path traversal in CMS Made Simple UserGuide Module XML Import functionality allows authenticated high-privilege attackers to manipulate file operations in the _copyFilesToFolder function, enabling arbitrary file placement on the server with limited confidentiality and integrity impact. The vulnerability affects CMS Made Simple up to version 2.2.22, requires high-level privileges to exploit remotely, and vendor has confirmed a fix for a future release; publicly available exploit code exists but real-world risk remains moderate due to privilege requirements.
SQL injection in code-projects Student Membership System 1.0 admin login allows unauthenticated remote attackers to bypass authentication and access sensitive data via crafted username/password parameters at /admin/index.php. Publicly available exploit code exists (VulDB 354296, GitHub POC), enabling trivial exploitation with no attack complexity. CVSS 7.3 reflects network-accessible attack with low confidentiality/integrity/availability impact. No vendor-released patch identified at time of analysis.
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /delete_user.php, enabling unauthorized data exfiltration or manipulation. The vulnerability has CVSS score 5.3 (medium severity) with publicly available exploit code, though it requires authenticated access (PR:L) and carries low confidentiality, integrity, and availability impact per CVSS v4.0 assessment.
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /delete_member.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability has been disclosed; however, active exploitation has not been confirmed by CISA. The attack requires valid authentication credentials but can be initiated over the network with minimal complexity.
Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.
Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.
Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.
Unrestricted file upload in SourceCodester Simple Doctors Appointment System up to version 1.0 allows authenticated remote attackers to upload arbitrary files via the img parameter in /doctors_appointment/admin/ajax.php?action=save_category, potentially leading to remote code execution. The vulnerability has publicly available exploit code and carries a CVSS score of 5.3 with limited impact scope, though it requires valid login credentials to exploit.
Unauthenticated attackers can directly access view PHP files in the Truebooker WordPress plugin (versions up to 1.1.4) to disclose sensitive information, such as user data or system configuration details exposed in those templates. The vulnerability requires only network access and no authentication, making it trivially exploitable via simple HTTP requests to exposed PHP files. No public exploit code or active exploitation has been confirmed at this time.
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability via the /admin/ajax.php login endpoint. Attackers manipulate the 'email' parameter to execute arbitrary SQL commands. Publicly available exploit code exists (GitHub POC published), significantly lowering the attack barrier. The CVSS score of 7.3 reflects network-based exploitation requiring low complexity and no privileges, with partial impact across all CIA triad elements. No CISA KEV listing at time of analysis, but the combination of public exploit and authentication bypass capability makes this a realistic threat to internet-facing instances.
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the Username parameter in /admin/login.php. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects low attack complexity and network accessibility. EPSS data unavailable, but public POC significantly elevates real-world risk for internet-facing installations.
Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.
Sensitive system configuration data exposure in Gravity SMTP for WordPress (all versions ≤2.1.4) allows unauthenticated remote attackers to retrieve comprehensive server information via an unsecured REST API endpoint. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint lacks authentication controls, exposing ~365 KB of JSON containing PHP version, database credentials structure, WordPress configuration, plugin/theme inventories, and configured API keys/tokens. EPSS data not provided; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack vector is trivial (CVSS AV:N/AC:L/PR:N).
Authenticated path traversal in baserCMS theme file management API (versions prior to 5.2.3) enables arbitrary file write, allowing administrators to create malicious PHP files outside the theme directory and achieve remote code execution. The vulnerability (CWE-22) requires high privileges (PR:H) but has low attack complexity (AC:L) with network access (AV:N). CVSS score of 7.2 reflects the significant impact when administrator credentials are compromised. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization.
Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).
Blind SQL injection in SourceCodester Loan Management System v1.0 allows authenticated attackers to inject malicious SQL commands via the borrower_id parameter in the ajax.php save_loan action. The vulnerability requires valid authentication to exploit and publicly available proof-of-concept code exists, making this a moderate-risk issue for organizations using this open-source application despite the lack of CVSS scoring.
Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.
Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.
Remote SQL injection in code-projects Accounting System 1.0 allows unauthenticated attackers to execute arbitrary SQL queries via the cos_id parameter in the /viewin_costumer.php file. The vulnerability has a CVSS score of 6.9 with a public exploit available, enabling attackers to read sensitive data from the database with minimal attack complexity. This is a network-accessible PHP application flaw affecting confidentiality with confirmed public disclosure.
Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'msg' parameter in index.php. Publicly available proof-of-concept code exists, enabling attackers to craft malicious URLs that execute scripts in victim browsers when clicked. No CVSS vector or patch information is available; the vulnerability appears limited in scope to a single PHP parameter.
HeidiSQL 9.5.0.5196 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long file path in the logging preferences. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_fst.php, affecting user sessions with administrator privileges. The vulnerability requires user interaction (UI:R) and carries a low CVSS score of 2.4 due to the requirement for prior administrative authentication (PR:H), but publicly available exploit code exists and may be actively used. The attack vector is network-based (AV:N) with low complexity (AC:L), creating an insider threat scenario where compromised or malicious administrators can deface content or steal session tokens of other administrators.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.
Invoice Ninja versions 5.12.46 and 5.12.48 contain a Server-Side Request Forgery (SSRF) vulnerability in the CheckDatabaseRequest.php component that allows remote attackers to perform unauthorized requests to internal or external systems. The vulnerability affects the setup and database configuration functionality, potentially enabling attackers to access internal services, probe private networks, or interact with restricted resources from the server's perspective.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_purchase.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. The vulnerability has publicly available exploit code but lacks CVSS scoring and is not confirmed as actively exploited.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_supplier.php, enabling session hijacking, credential theft, or malware distribution without authentication. The vulnerability has publicly available proof-of-concept code demonstrating the attack vector.
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_sales.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists.
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_customer.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists demonstrating the vulnerability.
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_category.php, enabling session hijacking, credential theft, or malware distribution via malicious URLs. Publicly available exploit code exists, increasing real-world attack likelihood despite the absence of formal CVSS scoring or CVE severity data.
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML via the unvalidated "limit" parameter in view_customers.php, affecting unauthenticated users who click malicious links. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS score is available to quantify severity.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'limit' parameter in view_supplier.php due to insufficient input sanitization. The vulnerability is accessible without authentication via crafted URLs, and publicly available exploit code exists demonstrating the attack vector.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web scripts or HTML through the 'limit' parameter in view_payments.php due to insufficient input sanitization. Publicly available exploit code exists, enabling attackers to craft malicious URLs that execute JavaScript in victims' browsers when visited, potentially leading to session hijacking, credential theft, or defacement.
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to inject malicious scripts via the unvalidated website parameter in update_details.php, which are persisted in the database and executed whenever the store details page is accessed by any user. Publicly available exploit code exists, though the vulnerability requires prior authentication and affects primarily self-hosted instances of this open-source inventory management application.
Command injection in code-projects Chamber of Commerce Membership Management System 1.0 allows authenticated remote attackers with high privileges to execute arbitrary commands via manipulation of the mailSubject and mailMessage parameters in the admin/pageMail.php file. The vulnerability has a publicly available exploit and a moderate CVSS score of 4.7, but real-world risk is constrained by the requirement for high-privilege authenticated access.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the en_id parameter in /view_work.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available, increasing practical exploitation risk despite the moderate CVSS score of 6.9.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /edit_costumer.php. The vulnerability has a CVSS 4.0 score of 6.9 with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS severity.
SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the cos_id parameter in /view_costumer.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects high exploitability (AV:N/AC:L/PR:N) with partial impact across confidentiality, integrity, and availability. No vendor-released patch identified at time of analysis.
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in all-orders.php. The vulnerability has a publicly available exploit and requires no authentication or user interaction (CVSS 7.3, AV:N/AC:L/PR:N). No vendor-released patch identified at time of analysis, representing elevated risk for installations of this PHP-based food ordering application.
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'Name' parameter in register-router.php. The vulnerability permits unauthorized database access with confirmed publicly available exploit code (EPSS and CVSS both indicate medium-severity risk). Attack complexity is low with no user interaction required, enabling automated exploitation. No vendor-released patch identified at time of analysis, and exploitation requires no authentication (CVSS PR:N).
SQL injection in Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in /all-tickets.php. The vulnerability is trivially exploitable with low attack complexity and requires no user interaction. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Ninja Forms plugin for WordPress versions up to 3.14.1 exposes authorization tokens via an insecure callback function in blocks/bootstrap.php, allowing authenticated Contributor-level users and above to access form submission data from arbitrary forms without proper authorization. The vulnerability enables sensitive information disclosure affecting all WordPress installations using the affected plugin versions, with no active exploitation confirmed at time of analysis.