Skip to main content

PHP

24741 CVEs product

Monthly

CVE-2026-1400 HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE AI / ML
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-9082 MEDIUM This Month

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14039 MEDIUM This Month

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12709 MEDIUM This Month

The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8072 MEDIUM This Month

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14610 HIGH This Week

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....

WordPress PHP SSRF
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-13471 MEDIUM This Month

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1506 HIGH POC This Week

Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1505 HIGH POC This Week

Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-69564 CRITICAL POC Act Now

Mobile Shop Management System has code injection in ExAddNewUser.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-69563 CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in ExLogin.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-69562 CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in insertmessage.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-69559 CRITICAL POC Act Now

Computer Book Store v1.0 has file upload in admin_add.php.

PHP Computer Book Store
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69565 CRITICAL POC Act Now

Mobile Shop Management System has file upload enabling web shell deployment.

PHP Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2021-47900 CRITICAL POC Act Now

Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.

PHP RCE
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-36942 HIGH POC This Week

Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14971 MEDIUM This Month

Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24479 CRITICAL POC PATCH Act Now

HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.

Linux PHP MySQL RCE Path Traversal +1
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-1448 HIGH POC This Week

Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-1445 LOW Monitor

Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.

PHP Authentication Bypass File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1444 LOW Monitor

A vulnerability has been found in iJason-Liu Books_Manager versions up to 298 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-1443 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1423 LOW POC Monitor

Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1422 MEDIUM POC This Month

SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14973 MEDIUM This Month

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-14316 HIGH This Week

The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD WPScan
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-6461 MEDIUM This Month

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).

WordPress PHP Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13920 MEDIUM POC This Month

WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15516 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14907 MEDIUM This Month

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14630 MEDIUM This Month

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1257 HIGH This Week

The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

WordPress PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14985 MEDIUM This Month

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14906 MEDIUM This Month

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14903 MEDIUM This Month

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14843 MEDIUM This Month

Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14797 MEDIUM This Month

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14629 MEDIUM This Month

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13676 MEDIUM This Month

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13374 CRITICAL Act Now

Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

WordPress RCE AI / ML PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24420 PHP MEDIUM POC PATCH This Month

Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24421 PHP MEDIUM POC PATCH This Month

phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub Exploit-DB VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-70457 CRITICAL POC Act Now

Sourcecodester Modern Image Gallery App v1.0 has an arbitrary file upload in the gallery endpoint allowing unauthenticated remote code execution.

PHP RCE Modern Image Gallery App
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-52023 MEDIUM This Month

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-52022 MEDIUM This Month

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14947 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2021-47904 HIGH POC This Week

PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. [CVSS 8.8 HIGH]

PHP RCE
NVD GitHub Exploit-DB VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-47897 HIGH POC This Week

address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads is affected by cross-site scripting (xss) (CVSS 7.2).

PHP XSS
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2021-47888 HIGH POC This Week

Textpattern versions up to 4.8.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-24635 HIGH This Week

DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24609 HIGH This Week

The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24608 HIGH This Week

Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24538 HIGH This Week

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24531 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-13921 MEDIUM This Month

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14866 HIGH This Week

Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-14745 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14069 MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15522 MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24138 HIGH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.

PHP SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-66428 HIGH This Week

An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24390 HIGH This Week

QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23978 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-23975 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-22464 HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22402 HIGH This Week

Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22401 HIGH This Week

Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69314 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69292 HIGH This Week

Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69193 HIGH This Week

Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69102 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69100 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69078 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69077 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69076 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69075 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69074 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69073 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69072 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69071 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69070 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69068 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69067 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69066 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through <= 1.2.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69065 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion.This issue affects Snow Mountain: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69064 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69062 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion.This issue affects Weedles: from n/a through <= 1.1.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69061 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69060 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69059 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....

WordPress PHP SSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]

WordPress PHP
NVD WPScan
EPSS 0% CVSS 7.2
HIGH POC This Week

Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.

D-Link PHP Command Injection +1
NVD VulDB
EPSS 1% CVSS 7.2
HIGH POC This Week

Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.

D-Link PHP Command Injection +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has code injection in ExAddNewUser.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in ExLogin.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in insertmessage.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Computer Book Store v1.0 has file upload in admin_add.php.

PHP Computer Book Store
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has file upload enabling web shell deployment.

PHP Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.

PHP RCE
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP Victor Cms
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM This Month

Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.

Linux PHP MySQL +3
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.

D-Link PHP Command Injection +1
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Unrestricted file upload in iJason-Liu Books_Manager allows authenticated attackers with high privileges to upload arbitrary files via the book_cover parameter in the upload_bookCover.php controller. Public exploit code exists for this vulnerability, increasing the risk of exploitation. A patch is not currently available for this rolling-release product.

PHP Authentication Bypass File Upload
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability has been found in iJason-Liu Books_Manager versions up to 298 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Unrestricted file upload in code-projects Online Examination System 1.0 via the /admin_pic.php endpoint allows authenticated remote attackers to upload arbitrary files with minimal complexity. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable code execution or system compromise depending on server configuration and file handling.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]

WordPress SQLi PHP
NVD WPScan
EPSS 0% CVSS 7.1
HIGH This Week

The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).

WordPress PHP Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

WordPress PHP LFI
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

WordPress RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Sourcecodester Modern Image Gallery App v1.0 has an arbitrary file upload in the gallery endpoint allowing unauthenticated remote code execution.

PHP RCE Modern Image Gallery App
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. [CVSS 8.8 HIGH]

PHP RCE
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads is affected by cross-site scripting (xss) (CVSS 7.2).

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Textpattern versions up to 4.8.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH This Week

DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.

PHP SSRF
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]

WordPress PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through <= 1.2.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion.This issue affects Snow Mountain: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion.This issue affects Weedles: from n/a through <= 1.1.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
Prev Page 40 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy