PHP
Monthly
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.
Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.
Mobile Shop Management System has code injection in ExAddNewUser.php.
Mobile Shop Management System has SQL injection in ExLogin.php.
Mobile Shop Management System has SQL injection in insertmessage.php.
Computer Book Store v1.0 has file upload in admin_add.php.
Mobile Shop Management System has file upload enabling web shell deployment.
Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.
Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).
HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.
Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.
Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.
A vulnerability has been found in iJason-Liu Books_Manager versions up to 298 is affected by cross-site scripting (xss) (CVSS 2.4).
SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.
Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.
SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).
WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]
Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]
The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.
phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.
Sourcecodester Modern Image Gallery App v1.0 has an arbitrary file upload in the gallery endpoint allowing unauthenticated remote code execution.
A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]
A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]
PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. [CVSS 8.8 HIGH]
address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads is affected by cross-site scripting (xss) (CVSS 7.2).
Textpattern versions up to 4.8.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.
The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.
Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.
Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]
Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.
An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).
QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.
A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.
wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).
Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.
Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3. [CVSS 8.1 HIGH]
Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through <= 1.2.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion.This issue affects Snow Mountain: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion.This issue affects Weedles: from n/a through <= 1.1.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.
Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.
Mobile Shop Management System has code injection in ExAddNewUser.php.
Mobile Shop Management System has SQL injection in ExLogin.php.
Mobile Shop Management System has SQL injection in insertmessage.php.
Computer Book Store v1.0 has file upload in admin_add.php.
Mobile Shop Management System has file upload enabling web shell deployment.
Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.
Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).
HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.
Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.
Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.
A vulnerability has been found in iJason-Liu Books_Manager versions up to 298 is affected by cross-site scripting (xss) (CVSS 2.4).
SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.
Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.
SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).
WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]
Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]
The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.
phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.
Sourcecodester Modern Image Gallery App v1.0 has an arbitrary file upload in the gallery endpoint allowing unauthenticated remote code execution.
A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]
A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]
PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. [CVSS 8.8 HIGH]
address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads is affected by cross-site scripting (xss) (CVSS 7.2).
Textpattern versions up to 4.8.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.
The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.
Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.
Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]
Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.
An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).
QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.
A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.
wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).
Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.
Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3. [CVSS 8.1 HIGH]
Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through <= 1.2.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion.This issue affects Snow Mountain: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion.This issue affects Weedles: from n/a through <= 1.1.12. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]